Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1073600imm; Wed, 6 Jun 2018 10:02:12 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLztEqvW544hVGF6Y+iJq1Np2nxfXUKks8h0PQRQA/woqyAijkFrGRkGxdKhBBP5dcIOKmZ X-Received: by 2002:a65:640d:: with SMTP id a13-v6mr1445979pgv.154.1528304532371; Wed, 06 Jun 2018 10:02:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528304532; cv=none; d=google.com; s=arc-20160816; b=HybW7iQ+mfEUelW3J3tqBjoOp4K8kwMJPdPg5b0fQEKNCcELE8HxuoyWFUIynVPK9z 6vW8eeO5bezXj3SwH/XVbQaRBbXlc0f8gGHlUugozqs3svryIk+2dQMb8NxDiMQE8efZ 0Tphklv+/Aj5HELNBuYOkCb9KafvSKrEUodtjOat2XJpMbsNIhDT7Mab55YSR0H3Lsiz QDakkIvHK2My7MFSloBQwxqbonBjE4SQ2CAeuq+Ekgkubtb6YfRCH/6kCx9T91a5n9Nq LJJ2i2cLVGSofa6OcuiMSjnFfquMQTZvNf3ElMwVwRJFIvbbQS4i62JlKtT/V4xULM7V qMWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=4PAjDZLva3VM0OMgpK2WuEvLNa8Eep+//J9qxTqZzxE=; b=eVG7K54Y4zi3q6YBLHO1c/x1XMG/aM8cvjDkIowScTz8ijxSw0ADt1GPdt3C/Zg1wP sODlHWsPCs9CEL/7o8dHPXrzoV6TSJDDhKadoHlGqeqsmztmUpWqiGoNlYTG+842Kuj3 RZSfOTmj/FKeilQx5yxZUWaF0K4UHJXrqwUt65WeM+WXaDAWSL0l321J+zK+bQOBh6zj pSmRrCgUa04qEWgvu+J/538pJndoZpRNeVK9iFz62G9S2sjRTfIcfSv5ngnpFnraXNH3 BAtd/iQogoZDBgeHU5WLwDVGdc0SRZ2Psfow7CufwvD5SIvNOXnfbaD3ZbS/T1Vcg07/ V0HQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b7-v6si52012999pla.26.2018.06.06.10.01.54; Wed, 06 Jun 2018 10:02:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933600AbeFFRBG (ORCPT + 99 others); Wed, 6 Jun 2018 13:01:06 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47008 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932821AbeFFRBD (ORCPT ); Wed, 6 Jun 2018 13:01:03 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 40FEC818A6A6; Wed, 6 Jun 2018 17:01:02 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-57.rdu2.redhat.com [10.10.112.57]) by smtp.corp.redhat.com (Postfix) with ESMTP id 07BD86B590; Wed, 6 Jun 2018 17:00:47 +0000 (UTC) From: Richard Guy Briggs To: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org Cc: luto@kernel.org, jlayton@redhat.com, carlos@redhat.com, viro@zeniv.linux.org.uk, dhowells@redhat.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com, Richard Guy Briggs Subject: [RFC PATCH ghak90 (was ghak32) V3 03/10] audit: add containerid support for ptrace and signals Date: Wed, 6 Jun 2018 12:58:30 -0400 Message-Id: <29359e0e6bc34c74b3a2c3ce0cdfda77f530cf18.1528304204.git.rgb@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 06 Jun 2018 17:01:02 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 06 Jun 2018 17:01:02 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add audit container identifier support to ptrace and signals. In particular, the "op" field provides a way to label the auxiliary record to which it is associated. Signed-off-by: Richard Guy Briggs --- include/linux/audit.h | 11 +++++------ kernel/audit.c | 13 +++++++------ kernel/audit.h | 2 ++ kernel/auditsc.c | 21 ++++++++++++++++----- 4 files changed, 30 insertions(+), 17 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 4e1e34e..ab50985 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -34,6 +34,7 @@ struct audit_sig_info { uid_t uid; pid_t pid; char ctx[0]; + u64 cid; }; struct audit_buffer; @@ -152,9 +153,8 @@ extern void audit_log_key(struct audit_buffer *ab, extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk); -extern int audit_log_contid(struct task_struct *tsk, - struct audit_context *context, - char *op); +extern int audit_log_contid(struct audit_context *context, + char *op, u64 contid); extern int audit_update_lsm_rules(void); @@ -205,9 +205,8 @@ static inline int audit_log_task_context(struct audit_buffer *ab) static inline void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) { } -static inline int audit_log_contid(struct task_struct *tsk, - struct audit_context *context, - char *op) +static inline int audit_log_contid(struct audit_context *context, + char *op, u64 contid) { } #define audit_enabled 0 #endif /* CONFIG_AUDIT */ diff --git a/kernel/audit.c b/kernel/audit.c index 5e150c6..ba304a8 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -142,6 +142,7 @@ struct audit_net { kuid_t audit_sig_uid = INVALID_UID; pid_t audit_sig_pid = -1; u32 audit_sig_sid = 0; +u64 audit_sig_cid = AUDIT_CID_UNSET; /* Records can be lost in several ways: 0) [suppressed in audit_alloc] @@ -1437,6 +1438,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) memcpy(sig_data->ctx, ctx, len); security_release_secctx(ctx, len); } + sig_data->cid = audit_sig_cid; audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); kfree(sig_data); @@ -2050,23 +2052,22 @@ void audit_log_session_info(struct audit_buffer *ab) /* * audit_log_contid - report container info - * @tsk: task to be recorded * @context: task or local context for record * @op: contid string description + * @contid: container ID to report */ -int audit_log_contid(struct task_struct *tsk, - struct audit_context *context, char *op) +int audit_log_contid(struct audit_context *context, + char *op, u64 contid) { struct audit_buffer *ab; - if (!audit_contid_set(tsk)) + if (!cid_valid(contid)) return 0; /* Generate AUDIT_CONTAINER record with container ID */ ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER); if (!ab) return -ENOMEM; - audit_log_format(ab, "op=%s contid=%llu", - op, audit_get_contid(tsk)); + audit_log_format(ab, "op=%s contid=%llu", op, contid); audit_log_end(ab); return 0; } diff --git a/kernel/audit.h b/kernel/audit.h index 214e149..1cf1c35 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -147,6 +147,7 @@ struct audit_context { kuid_t target_uid; unsigned int target_sessionid; u32 target_sid; + u64 target_cid; char target_comm[TASK_COMM_LEN]; struct audit_tree_refs *trees, *first_trees; @@ -329,6 +330,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, extern pid_t audit_sig_pid; extern kuid_t audit_sig_uid; extern u32 audit_sig_sid; +extern u64 audit_sig_cid; extern int audit_filter(int msgtype, unsigned int listtype); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index a3c946c..cface9d 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -113,6 +113,7 @@ struct audit_aux_data_pids { kuid_t target_uid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS]; u32 target_sid[AUDIT_AUX_PIDS]; + u64 target_cid[AUDIT_AUX_PIDS]; char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; int pid_count; }; @@ -1456,21 +1457,27 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts for (aux = context->aux_pids; aux; aux = aux->next) { struct audit_aux_data_pids *axs = (void *)aux; - for (i = 0; i < axs->pid_count; i++) + for (i = 0; i < axs->pid_count; i++) { + char axsn[sizeof("aux0xN ")]; + + sprintf(axsn, "aux0x%x", i); if (audit_log_pid_context(context, axs->target_pid[i], axs->target_auid[i], axs->target_uid[i], axs->target_sessionid[i], axs->target_sid[i], - axs->target_comm[i])) + axs->target_comm[i]) + || audit_log_contid(context, axsn, axs->target_cid[i])) call_panic = 1; + } } if (context->target_pid && - audit_log_pid_context(context, context->target_pid, + (audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - context->target_sid, context->target_comm)) + context->target_sid, context->target_comm) + || audit_log_contid(context, "target", context->target_cid))) call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { @@ -1490,7 +1497,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts audit_log_proctitle(tsk, context); - audit_log_contid(tsk, context, "task"); + audit_log_contid(context, "task", audit_get_contid(tsk)); /* Send end of event record to help user space know we are finished */ ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); @@ -2375,6 +2382,7 @@ void __audit_ptrace(struct task_struct *t) context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); security_task_getsecid(t, &context->target_sid); + context->target_cid = audit_get_contid(t); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2402,6 +2410,7 @@ int audit_signal_info(int sig, struct task_struct *t) else audit_sig_uid = uid; security_task_getsecid(current, &audit_sig_sid); + audit_sig_cid = audit_get_contid(current); } if (!audit_signals || audit_dummy_context()) @@ -2415,6 +2424,7 @@ int audit_signal_info(int sig, struct task_struct *t) ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); security_task_getsecid(t, &ctx->target_sid); + ctx->target_cid = audit_get_contid(t); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2436,6 +2446,7 @@ int audit_signal_info(int sig, struct task_struct *t) axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); security_task_getsecid(t, &axp->target_sid[axp->pid_count]); + axp->target_cid[axp->pid_count] = audit_get_contid(t); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; -- 1.8.3.1