Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp873035img; Mon, 18 Mar 2019 16:48:23 -0700 (PDT) X-Google-Smtp-Source: APXvYqzmruht0F3bnNvFh8wKiGoVDWNgZRiiRr/FzPT0D3AlxkxrTdpaUo/31x7sazqYKwnxpf23 X-Received: by 2002:a17:902:1121:: with SMTP id d30mr22675997pla.104.1552952903432; Mon, 18 Mar 2019 16:48:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552952903; cv=none; d=google.com; s=arc-20160816; b=QDKG9fhzKG16hZ9ZJ8ujnGGzUXQHDUXqQkyrUmPfvyhaJq7Uuq1g3t+nYTKp5/2J0O lxPm3XjM9a/PyQalhpE1ehDDEZ9FEISAMLKQVOD2ewSchxif2oRzfgr5khCjyaDCj5To gRARAglU2l0Dl7j5vurKoBWQ+xTCkNf+MmZnbcx/3Khdy9H41OzqvtIlMo5dwPW8F/9i LnwrqGqXvAAkk5FWAYcklrRgV0nVOShXRjyfYEDdgABYdNQCSp9J0p0pqaM82gChQ7y9 U9mtHvWfGmgREJ44VJdXG6iuURBbdsV2vDxGnKu7OrEuNLImU58Wpx1DRggVOaYAOBHh vBxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=IkJAfBdOrWenDDzwQGEI8ByxmjY/fAPZvwv4l2qClTY=; b=vw8EN2oSv54xjxIuqlg/FNtYw4r7pOaaIzYGrjnIPHFvGv4SedGRyVaPOvtHtVOxm6 rLDebHNjQuqrJCEsA4NTISGacGbcw61b/O9UGaRV6eB58yboDCRHJtp/vIHpg9Pr45Oe 2QyQ7PtQtETVFOpbLr6uajkxuVOuiNC525jhlOAKbe92nweZTZEASV7Lh5ArbMGb3ZMQ DIyeLola3xT7khJXkCYcfMzZquhshfMvdv+sM2LWGsktUqUwB710PixrePYO5cyHcDH5 asGsLKuf5vYZ4Yu4Hv7SxZYIkO8ZufwK9ag/R8+DQ4dveKvuumPLXE4pZXKi1kq6ilMC iQNQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n18si10695455pfe.166.2019.03.18.16.48.07; Mon, 18 Mar 2019 16:48:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727055AbfCRXrc (ORCPT + 99 others); Mon, 18 Mar 2019 19:47:32 -0400 Received: from mx1.redhat.com ([209.132.183.28]:36722 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726575AbfCRXrc (ORCPT ); Mon, 18 Mar 2019 19:47:32 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D808136899; Mon, 18 Mar 2019 23:47:30 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-22.phx2.redhat.com [10.3.112.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5D21019C67; Mon, 18 Mar 2019 23:47:19 +0000 (UTC) Date: Mon, 18 Mar 2019 19:47:16 -0400 From: Richard Guy Briggs To: Ondrej Mosnacek Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Paul Moore , Steve Grubb , David Howells , simo@redhat.com, Eric Paris , "Serge E. Hallyn" , "Eric W . Biederman" , nhorman@tuxdriver.com Subject: Re: [PATCH ghak90 V5 08/10] audit: add containerid filtering Message-ID: <20190318234716.4moownrpylloiu3g@madcap2.tricolour.ca> References: <3f02f7b56d2fba2918ff6fe90fcfa3ae558faff8.1552665316.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Mon, 18 Mar 2019 23:47:31 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019-03-18 21:02, Ondrej Mosnacek wrote: > On Fri, Mar 15, 2019 at 7:35 PM Richard Guy Briggs wrote: > > > > Implement audit container identifier filtering using the AUDIT_CONTID > > field name to send an 8-character string representing a u64 since the > > value field is only u32. > > > > Sending it as two u32 was considered, but gathering and comparing two > > fields was more complex. > > > > The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. > > > > See: https://github.com/linux-audit/audit-kernel/issues/91 > > See: https://github.com/linux-audit/audit-userspace/issues/40 > > See: https://github.com/linux-audit/audit-testsuite/issues/64 > > See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > > Signed-off-by: Richard Guy Briggs > > Acked-by: Serge Hallyn > > --- > > include/linux/audit.h | 1 + > > include/uapi/linux/audit.h | 5 ++++- > > kernel/audit.h | 1 + > > kernel/auditfilter.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++ > > kernel/auditsc.c | 3 +++ > > 5 files changed, 56 insertions(+), 1 deletion(-) > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 6db5aba7cc01..fa19fa408931 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -77,6 +77,7 @@ struct audit_field { > > u32 type; > > union { > > u32 val; > > + u64 val64; > > kuid_t uid; > > kgid_t gid; > > struct { > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index a6383e28b2c8..741ab6f38294 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -265,6 +265,7 @@ > > #define AUDIT_LOGINUID_SET 24 > > #define AUDIT_SESSIONID 25 /* Session ID */ > > #define AUDIT_FSTYPE 26 /* FileSystem Type */ > > +#define AUDIT_CONTID 27 /* Container ID */ > > > > /* These are ONLY useful when checking > > * at syscall exit time (AUDIT_AT_EXIT). */ > > @@ -345,6 +346,7 @@ enum { > > #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010 > > #define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020 > > #define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 > > +#define AUDIT_FEATURE_BITMAP_CONTAINERID 0x00000080 > > > > #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \ > > AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \ > > @@ -352,7 +354,8 @@ enum { > > AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \ > > AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \ > > AUDIT_FEATURE_BITMAP_LOST_RESET | \ > > - AUDIT_FEATURE_BITMAP_FILTER_FS) > > + AUDIT_FEATURE_BITMAP_FILTER_FS | \ > > + AUDIT_FEATURE_BITMAP_CONTAINERID) > > > > /* deprecated: AUDIT_VERSION_* */ > > #define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL > > diff --git a/kernel/audit.h b/kernel/audit.h > > index 2a1a8b8a8019..3a40b608bf8d 100644 > > --- a/kernel/audit.h > > +++ b/kernel/audit.h > > @@ -230,6 +230,7 @@ static inline int audit_hash_ino(u32 ino) > > > > extern int audit_match_class(int class, unsigned syscall); > > extern int audit_comparator(const u32 left, const u32 op, const u32 right); > > +extern int audit_comparator64(const u64 left, const u32 op, const u64 right); > > extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right); > > extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right); > > extern int parent_len(const char *path); > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > > index add360b46b38..516b8e58959e 100644 > > --- a/kernel/auditfilter.c > > +++ b/kernel/auditfilter.c > > @@ -410,6 +410,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) > > /* FALL THROUGH */ > > case AUDIT_ARCH: > > case AUDIT_FSTYPE: > > + case AUDIT_CONTID: > > if (f->op != Audit_not_equal && f->op != Audit_equal) > > return -EINVAL; > > break; > > @@ -582,6 +583,14 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, > > } > > entry->rule.exe = audit_mark; > > break; > > + case AUDIT_CONTID: > > + if (f->val != sizeof(u64)) > > + goto exit_free; > > + str = audit_unpack_string(&bufp, &remain, f->val); > > + if (IS_ERR(str)) > > + goto exit_free; > > + f->val64 = ((u64 *)str)[0]; > > + break; > > } > > } > > > > @@ -664,6 +673,11 @@ static struct audit_rule_data *audit_krule_to_data(struct audit_krule *krule) > > data->buflen += data->values[i] = > > audit_pack_string(&bufp, audit_mark_path(krule->exe)); > > break; > > + case AUDIT_CONTID: > > + data->buflen += data->values[i] = sizeof(u64); > > + for (i = 0; i < sizeof(u64); i++) > > + ((char *)bufp)[i] = ((char *)&f->val64)[i]; > > How about just: > > memcpy(bufp, &f->val64, sizeof(u64)); > > instead of the awkward for loop? It is simpler and also more in line > with the code in audit_pack_string(). I'll grant you that. I'll use that instead. > Also, doesn't this loop interfere with the outer loop that also uses > 'i' as the control variable? Yes, it does. Thank you for catching that. Doing a auditctl -l reveals this. > > + break; > > case AUDIT_LOGINUID_SET: > > if (krule->pflags & AUDIT_LOGINUID_LEGACY && !f->val) { > > data->fields[i] = AUDIT_LOGINUID; > > @@ -750,6 +764,10 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b) > > if (!gid_eq(a->fields[i].gid, b->fields[i].gid)) > > return 1; > > break; > > + case AUDIT_CONTID: > > + if (a->fields[i].val64 != b->fields[i].val64) > > + return 1; > > + break; > > default: > > if (a->fields[i].val != b->fields[i].val) > > return 1; > > @@ -1206,6 +1224,31 @@ int audit_comparator(u32 left, u32 op, u32 right) > > } > > } > > > > +int audit_comparator64(u64 left, u32 op, u64 right) > > +{ > > + switch (op) { > > + case Audit_equal: > > + return (left == right); > > + case Audit_not_equal: > > + return (left != right); > > + case Audit_lt: > > + return (left < right); > > + case Audit_le: > > + return (left <= right); > > + case Audit_gt: > > + return (left > right); > > + case Audit_ge: > > + return (left >= right); > > + case Audit_bitmask: > > + return (left & right); > > + case Audit_bittest: > > + return ((left & right) == right); > > + default: > > + BUG(); > > + return 0; > > + } > > +} > > + > > int audit_uid_comparator(kuid_t left, u32 op, kuid_t right) > > { > > switch (op) { > > @@ -1344,6 +1387,10 @@ int audit_filter(int msgtype, unsigned int listtype) > > result = audit_comparator(audit_loginuid_set(current), > > f->op, f->val); > > break; > > + case AUDIT_CONTID: > > + result = audit_comparator64(audit_get_contid(current), > > + f->op, f->val64); > > + break; > > case AUDIT_MSGTYPE: > > result = audit_comparator(msgtype, f->op, f->val); > > break; > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index aa5d13b4fbbb..2d74238e9638 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -616,6 +616,9 @@ static int audit_filter_rules(struct task_struct *tsk, > > case AUDIT_LOGINUID_SET: > > result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); > > break; > > + case AUDIT_CONTID: > > + result = audit_comparator64(audit_get_contid(tsk), f->op, f->val64); > > + break; > > case AUDIT_SUBJ_USER: > > case AUDIT_SUBJ_ROLE: > > case AUDIT_SUBJ_TYPE: > > -- > > 1.8.3.1 > > > > > -- > Ondrej Mosnacek > Associate Software Engineer, Security Technologies > Red Hat, Inc. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635