Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1074512imm; Wed, 6 Jun 2018 10:02:49 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJdkNUCFLJADiITYokxIBgQzt6lxUSSnzctdTuhuri45zIC4uqJpx0ZexNnAoxj6a/7YRpy X-Received: by 2002:a62:3d05:: with SMTP id k5-v6mr3262231pfa.122.1528304569051; Wed, 06 Jun 2018 10:02:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528304569; cv=none; d=google.com; s=arc-20160816; b=MoAdnpHomwWnYOV3H5NneEq9aLfzJ64c/MQJ9FATkpsfhLCKqSm/N5FekdFdyD4cIL W0n5fAwxG679JO4yvBWsFCTcDSvVK5zRxLP8sMj7FT8X6DFGwBA/o8ZZrz8kYMx9OAF8 R+EkiJVMaNcPNC3yAjDpMUlAyVBx6JKRUeYIsfbTxXFIojqqT/lp1r5fzKiIVFKl0rok i9D+b4xBulbdpLXVVTdTg9PCwuZWy0+M6wTKG+3EHUQ8m/RGcBQNephOP7De02z6O220 FUOBQbnmdsEBULU5Y2fKUf1/SJUBXI9ocbMtWRS4F1qyYfivg55YfxckHVwg3M8Sr/31 oERg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=WeReSW8O97Me4poptwl9DMQl6ty9leja5GYRxzWPArg=; b=sGFpFbXx5xEbH4oObUdadNiXDfdBgkUhYtaHF9laXjXw22BRfs8biy5PWjF+VNOzeC FhpKF6qrAUbqJtAc/pWlx1XRbSXR0LgeojAGEIsk1sbMRQb3clduVXAoiFjenvTORAzR W2kW/thNQWy2iFAGa/SVXI2++hbI1Sa3mNhkeO74+09shUtKF3vwW6s5Pkph9znndzUx Ko6fja5NKj7AVK4NWki9dBFmMFge9zdpK1b4oDRjBpPy9kX0OR5Wa8XDUZeevbo5nEkc gYhrQAFXAIgIbWHDS2pFOsomBNl5+Ym6kPfNrfiTCDNWJPUUkgq4aLT3HSoMUptx3Clc ujfQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l3-v6si17497218pgp.345.2018.06.06.10.02.32; Wed, 06 Jun 2018 10:02:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933674AbeFFRBa (ORCPT + 99 others); Wed, 6 Jun 2018 13:01:30 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:53238 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933654AbeFFRB1 (ORCPT ); Wed, 6 Jun 2018 13:01:27 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A558E4078352; Wed, 6 Jun 2018 17:01:26 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-57.rdu2.redhat.com [10.10.112.57]) by smtp.corp.redhat.com (Postfix) with ESMTP id 25ECC64671; Wed, 6 Jun 2018 17:01:22 +0000 (UTC) From: Richard Guy Briggs To: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org Cc: luto@kernel.org, jlayton@redhat.com, carlos@redhat.com, viro@zeniv.linux.org.uk, dhowells@redhat.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com, Richard Guy Briggs Subject: [RFC PATCH ghak90 (was ghak32) V3 06/10] audit: add containerid filtering Date: Wed, 6 Jun 2018 12:58:33 -0400 Message-Id: In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 06 Jun 2018 17:01:26 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 06 Jun 2018 17:01:26 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER. See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs --- include/linux/audit.h | 1 + include/uapi/linux/audit.h | 5 ++++- kernel/audit.h | 1 + kernel/auditfilter.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++ kernel/auditsc.c | 3 +++ 5 files changed, 56 insertions(+), 1 deletion(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index f549121..1e37abf 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -76,6 +76,7 @@ struct audit_field { u32 type; union { u32 val; + u64 val64; kuid_t uid; kgid_t gid; struct { diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 469ab25..b440558 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -262,6 +262,7 @@ #define AUDIT_LOGINUID_SET 24 #define AUDIT_SESSIONID 25 /* Session ID */ #define AUDIT_FSTYPE 26 /* FileSystem Type */ +#define AUDIT_CONTID 27 /* Container ID */ /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ @@ -342,6 +343,7 @@ enum { #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 #define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 #define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 +#define AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER 0x00000080 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ @@ -349,7 +351,8 @@ enum { AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ AUDIT_FEATURE_BITMAP_LOST_RESET | \ - AUDIT_FEATURE_BITMAP_FILTER_FS) + AUDIT_FEATURE_BITMAP_FILTER_FS | \ + AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER) /* deprecated: AUDIT_VERSION_* */ #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL diff --git a/kernel/audit.h b/kernel/audit.h index 1cf1c35..743d445 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -235,6 +235,7 @@ static inline int audit_hash_ino(u32 ino) extern int audit_match_class(int class, unsigned syscall); extern int audit_comparator(const u32 left, const u32 op, const u32 right); +extern int audit_comparator64(const u64 left, const u32 op, const u64 right); extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right); extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right); extern int parent_len(const char *path); diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index eaa3201..a5f60ce 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -410,6 +410,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) /* FALL THROUGH */ case AUDIT_ARCH: case AUDIT_FSTYPE: + case AUDIT_CONTID: if (f->op != Audit_not_equal && f->op != Audit_equal) return -EINVAL; break; @@ -584,6 +585,14 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, } entry->rule.exe = audit_mark; break; + case AUDIT_CONTID: + if (f->val != sizeof(u64)) + goto exit_free; + str = audit_unpack_string(&bufp, &remain, f->val); + if (IS_ERR(str)) + goto exit_free; + f->val64 = ((u64 *)str)[0]; + break; } } @@ -666,6 +675,11 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) data->buflen += data->values[i] = audit_pack_string(&bufp, audit_mark_path(krule->exe)); break; + case AUDIT_CONTID: + data->buflen += data->values[i] = sizeof(u64); + for (i = 0; i < sizeof(u64); i++) + ((char *)bufp)[i] = ((char *)&f->val64)[i]; + break; case AUDIT_LOGINUID_SET: if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) { data->fields[i] = AUDIT_LOGINUID; @@ -752,6 +766,10 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) if (!gid_eq(a->fields[i].gid, b->fields[i].gid)) return 1; break; + case AUDIT_CONTID: + if (a->fields[i].val64 != b->fields[i].val64) + return 1; + break; default: if (a->fields[i].val != b->fields[i].val) return 1; @@ -1208,6 +1226,31 @@ int audit_comparator(u32 left, u32 op, u32 right) } } +int audit_comparator64(u64 left, u32 op, u64 right) +{ + switch (op) { + case Audit_equal: + return (left == right); + case Audit_not_equal: + return (left != right); + case Audit_lt: + return (left < right); + case Audit_le: + return (left <= right); + case Audit_gt: + return (left > right); + case Audit_ge: + return (left >= right); + case Audit_bitmask: + return (left & right); + case Audit_bittest: + return ((left & right) == right); + default: + BUG(); + return 0; + } +} + int audit_uid_comparator(kuid_t left, u32 op, kuid_t right) { switch (op) { @@ -1346,6 +1389,10 @@ int audit_filter(int msgtype, unsigned int listtype) result = audit_comparator(audit_loginuid_set(current), f->op, f->val); break; + case AUDIT_CONTID: + result = audit_comparator64(audit_get_contid(current), + f->op, f->val64); + break; case AUDIT_MSGTYPE: result = audit_comparator(msgtype, f->op, f->val); break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 81c9765..ea1ee35 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -622,6 +622,9 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_LOGINUID_SET: result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); break; + case AUDIT_CONTID: + result = audit_comparator64(audit_get_contid(tsk), f->op, f->val64); + break; case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: -- 1.8.3.1