Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4719691imm; Wed, 30 May 2018 10:35:53 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIPgNG5l5jaFVzFFup6zaheKsBm5Rk9r0B3laUjWEfHJyYrXj23OfCSegMG4V7EfXSEOkdL X-Received: by 2002:a17:902:704c:: with SMTP id h12-v6mr3666915plt.269.1527701753602; Wed, 30 May 2018 10:35:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527701753; cv=none; d=google.com; s=arc-20160816; b=MxlLsjJjb4vH94kSy0WgR48LkM2pJfKqr9V9FhxJFClgl3Tf4HUeLc8um5eJ7doBs5 Pxtn425xRkQFzJftKQrIUQjq8V/CqSV1l6pnLBNatPE4/hvt07TSMjal8ZEUOLkUXIvf zIX/2e/FxgLd1URqUPxQsfHnNogdzqEgnQc62viVZC4NLRDl2iAwdMe/JWvqngEkuzb8 TH6OVWwSDS1wNRQGw+dMCSbjxbv5iJ0+XYq5Unxw/anYCQq5gny2xb842jgJ1bwv7fOw eCrDQZCB0iB0uh0SfjqBTEuBvHR3IEOyLn44KE9I0PbUOpmvKw3p+Ng67GkNKzGCb+0O 5JpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=8iXG0IHx2nn0bDs15jwByV0E3RAjppfTWnyjhvllLQM=; b=mFlNweYFV1wwGxALYpjqnxVwZx/Fui0NzpPEBW1e8NFzfGYQSHrqn7xx1rNBKTVe3D Dqay+Knt1m2RK8mDMwaUusraE/+FP/MYAFzy8k3G23ymxoa/T3CDZr0Ms3dJT57ph4EG dEy/DQF/ujlvTcb8R8JFL3tvXDGJFXRFNB75YyLyhBu6/XciBuAoPLEwmTMmvrE2p2VZ jlrgQ5aecdQ1TG3zJvMmcpvSPeAqHrOiTqRsDIqOFYsfiHTbwjsPdjHuzdfW5b+J4gZQ Wo5I5NnQB+u4i7uB7xTfQBSX6YYIVvZdjMoAJpnOcY9PAM3EpSZOxY/V+jMn5K+om6kR 1IxA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t5-v6si35362563plo.113.2018.05.30.10.35.39; Wed, 30 May 2018 10:35:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932112AbeE3RfB (ORCPT + 99 others); Wed, 30 May 2018 13:35:01 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:39928 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753730AbeE3Rek (ORCPT ); Wed, 30 May 2018 13:34:40 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BADDF76F9F; Wed, 30 May 2018 17:34:39 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-57.rdu2.redhat.com [10.10.112.57]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9784883B76; Wed, 30 May 2018 17:34:27 +0000 (UTC) Date: Wed, 30 May 2018 13:33:28 -0400 From: Richard Guy Briggs To: Steve Grubb Cc: linux-audit@redhat.com, cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, ebiederm@xmission.com, luto@kernel.org, jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com, viro@zeniv.linux.org.uk, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com Subject: Re: [RFC PATCH ghak32 V2 00/13] audit: implement container id Message-ID: <20180530173328.v6e3tm2agze5kdcb@madcap2.tricolour.ca> References: <23151436.iBN3rkXKiY@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <23151436.iBN3rkXKiY@x2> User-Agent: NeoMutt/20171027 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 30 May 2018 17:34:39 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 30 May 2018 17:34:39 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-05-30 09:20, Steve Grubb wrote: > On Friday, March 16, 2018 5:00:27 AM EDT Richard Guy Briggs wrote: > > Implement audit kernel container ID. > > > > This patchset is a second RFC based on the proposal document (V3) > > posted: > > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html > > So, if you work on a container orchestrator, how exactly is this set of > interfaces to be used and in what order? It was designed keeping in mind the Virtuallization Manager Guest Lifecycle Events document. https://github.com/linux-audit/audit-documentation/wiki/SPEC-Virtualization-Manager-Guest-Lifecycle-Events The orchestrator would start setting things up and when it knows the PID of the conainer task but before that task has had a chance to thread or spawn children it registers the audit container ID via the /proc interface. After that, it consults audit for any events maching that ID. > Thanks, > -Steve > > > The first patch implements the proc fs write to set the audit container > > ID of a process, emitting an AUDIT_CONTAINER record to announce the > > registration of that container ID on that process. This patch requires > > userspace support for record acceptance and proper type display. > > > > The second checks for children or co-threads and refuses to set the > > container ID if either are present. (This policy could be changed to > > set both with the same container ID provided they meet the rest of the > > requirements.) > > > > The third implements the auxiliary record AUDIT_CONTAINER_INFO if a > > container ID is identifiable with an event. This patch requires > > userspace support for proper type display. > > > > The fourth adds container ID filtering to the exit, exclude and user > > lists. This patch requires auditctil userspace support for the > > --containerid option. > > > > The 5th adds signal and ptrace support. > > > > The 6th creates a local audit context to be able to bind a standalone > > record with a locally created auxiliary record. > > > > The 7th, 8th, 9th, 10th patches add container ID records to standalone > > records. Some of these may end up being syscall auxiliary records and > > won't need this specific support since they'll be supported via > > syscalls. > > > > The 11th adds network namespace container ID labelling based on member > > tasks' container ID labels. > > > > The 12th adds container ID support to standalone netfilter records that > > don't have a task context and lists each container to which that net > > namespace belongs. > > > > The 13th implements reading the container ID from the proc filesystem > > for debugging. This patch isn't planned for upstream inclusion. > > > > Feedback please! > > > > Example: Set a container ID of 123456 to the "sleep" task: > > sleep 2& > > child=$! > > echo 123456 > /proc/$child/containerid; echo $? > > ausearch -ts recent -m container > > echo child:$child contid:$( cat /proc/$child/containerid) > > This should produce a record such as: > > type=CONTAINER msg=audit(1521122590.315:222): op=set pid=689 uid=0 > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 auid=0 tty=pts0 > > ses=3 opid=707 old-contid=18446744073709551615 contid=123456 res=1 > > > > Example: Set a filter on a container ID 123459 on /tmp/tmpcontainerid: > > containerid=123459 > > key=tmpcontainerid > > auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid > > -F key=$key perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); > > close(\$tmpfile);" & child=$! > > echo $containerid > /proc/$child/containerid > > sleep 2 > > ausearch -i -ts recent -k $key > > auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid > > -F key=$key rm -f /tmp/$key > > This should produce an event such as: > > type=CONTAINER_INFO msg=audit(1521122591.614:227): op=task contid=123459 > > type=PROCTITLE msg=audit(1521122591.614:227): > > proctitle=7065726C002D6500736C65657020313B206F70656E286D792024746D7066696C > > 652C20273E272C20222F746D702F746D70636F6E7461696E6572696422293B20636C6F73652 > > 824746D7066696C65293B type=PATH msg=audit(1521122591.614:227): item=1 > > name="/tmp/tmpcontainerid" inode=18427 dev=00:26 mode=0100644 ouid=0 > > ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE > > cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 > > type=PATH msg=audit(1521122591.614:227): item=0 name="/tmp/" inode=13513 > > dev=00:26 mode=041777 ouid=0 ogid=0 rdev=00:00 > > obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=0000000000000000 > > cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD > > msg=audit(1521122591.614:227): cwd="/root" > > type=SYSCALL msg=audit(1521122591.614:227): arch=c000003e syscall=257 > > success=yes exit=3 a0=ffffffffffffff9c a1=55db90a28900 a2=241 a3=1b6 > > items=2 ppid=689 pid=724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > sgid=0 fsgid=0 tty=pts0 ses=3 comm="perl" exe="/usr/bin/perl" > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > key="tmpcontainerid" > > > > See: > > https://github.com/linux-audit/audit-kernel/issues/32 > > https://github.com/linux-audit/audit-userspace/issues/40 > > https://github.com/linux-audit/audit-testsuite/issues/64 > > > > Richard Guy Briggs (13): > > audit: add container id > > audit: check children and threading before allowing containerid > > audit: log container info of syscalls > > audit: add containerid filtering > > audit: add containerid support for ptrace and signals > > audit: add support for non-syscall auxiliary records > > audit: add container aux record to watch/tree/mark > > audit: add containerid support for tty_audit > > audit: add containerid support for config/feature/user records > > audit: add containerid support for seccomp and anom_abend records > > audit: add support for containerid to network namespaces > > audit: NETFILTER_PKT: record each container ID associated with a netNS > > debug audit: read container ID of a process > > > > drivers/tty/tty_audit.c | 5 +- > > fs/proc/base.c | 53 ++++++++++++++++ > > include/linux/audit.h | 43 +++++++++++++ > > include/linux/init_task.h | 4 +- > > include/linux/sched.h | 1 + > > include/net/net_namespace.h | 12 ++++ > > include/uapi/linux/audit.h | 8 ++- > > kernel/audit.c | 75 ++++++++++++++++++++--- > > kernel/audit.h | 3 + > > kernel/audit_fsnotify.c | 5 +- > > kernel/audit_tree.c | 5 +- > > kernel/audit_watch.c | 33 +++++----- > > kernel/auditfilter.c | 52 +++++++++++++++- > > kernel/auditsc.c | 145 > > ++++++++++++++++++++++++++++++++++++++++++-- kernel/nsproxy.c | > > 6 ++ > > net/core/net_namespace.c | 45 ++++++++++++++ > > net/netfilter/xt_AUDIT.c | 15 ++++- > > 17 files changed, 473 insertions(+), 37 deletions(-) > > > > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635