Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp5722719img; Wed, 27 Mar 2019 14:02:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqwoktfMAPn3X6yyIb3uelm6gsqA1gQOw7ZMKtTX9ALRv2LSgGzTu19pRI/zPZJUhnmjsrUa X-Received: by 2002:a17:902:4681:: with SMTP id p1mr37786624pld.42.1553720550503; Wed, 27 Mar 2019 14:02:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553720550; cv=none; d=google.com; s=arc-20160816; b=xCnL1LiCkYWi+d7pcN9qQnU6cSXb4Ol2KO/K8YVSQxN+Vk1RwzaEVP3iOnI6aePnLF udYUub0sx1fqGHAcJ43eC5U8BjLaZF2Aw4xpAnmbpI0vsgxl/I+tBUmHqRXwzaYqATrN NN8xZvAVRVcvyu88js+mVR8WwN7cYd7MuOLLUnMXH+PJcQYvzZ0Wtgmn91OmHNFMR1V6 a55kQ2nERPncKMWjcu0Fk4xelEANnoXrcaKad5jL4rhfnep87ZlU9mn0jP9e5vsV0a55 NGxHZ+rXFqb9U15xYlnZdz/gy4QUrcX028PxtprdIHyf3nDLrUfXMb7Rgb2iIlLcfEiE AULw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version; bh=Z2nJrgJIAUqvjZ5g6Cakt+zgGqNavD92eKBdJt60d8A=; b=ZQKhKtOtvsCPcqOr6RyGUdCZHQlyqlHC/nPaLmHDkmBm9g5ocePm4Z9lBLAkJ8GTYx m2IXv5Ao2TI3+Un5B5JqQnaggQcE9NMJPbgy4amW7gMg50j60pfh1stexfLXwDiKtUwK RSV76qdJBB9dLGHR2R7ROpftKPRJVbrvTYBhTaQVa8jkmjB4VCsRHJm1WSghbVnyzn7U 6it7Gr/nwpIbBqp24gBS5OE3Z5Ppq0xRMSe2o4pF/zWDjm43HdL4VKeXvz+O+QtBbVkL 08rz79iJBqINQNT4cD85XpqrDWqlbr4uD2Brp8ewHhnGCAkr5FhmBl4Al+bt8VMpLWu0 B+ew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si21293510plw.390.2019.03.27.14.02.14; Wed, 27 Mar 2019 14:02:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728588AbfC0VBh convert rfc822-to-8bit (ORCPT + 99 others); Wed, 27 Mar 2019 17:01:37 -0400 Received: from mail-ot1-f65.google.com ([209.85.210.65]:41164 "EHLO mail-ot1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727604AbfC0VBh (ORCPT ); Wed, 27 Mar 2019 17:01:37 -0400 Received: by mail-ot1-f65.google.com with SMTP id 64so16258518otb.8 for ; Wed, 27 Mar 2019 14:01:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KyWMT72QpTjh8B+u6lkMcMuIFku7xc3OOfsK0AVbxx0=; b=UYW9HPUbgOarnd5/El8AOwHnlKUekWItX0A8jV5bMLEZiiGJ80z7gZJ/XONadNlO44 TK+OcuE0sgl2FoFkuI5xXJAy0hfGx5p8yjbtj9aIDTlnFnMKpy49Fgv+uQIRI5oNH0Eg BeottDYYu2e1Ulal28XzvHFiMRzGKpPpvWI3ro8cMp7gNYj7d18k/UK8bSdhRbSDF2A3 Jor4ERRe0Kd7WbP1DRExFvsSn3+1sT5D9dAIMiqj6PY6+ntUt0lOQgm0367/W8i0q7iT YU31UtYKefXHXEfFxu+TR0DzLaH7QeDHE5kMBp75MXmIHDP9p+dKVy4Y00OlcgYh1N9h s4iA== X-Gm-Message-State: APjAAAXdsg0pWQuc8m1d44RAtSprexvYr0H20HEh5tI6kb+aGTYgWqNk MjvV9gElLLoswqAPP1xgwsILeDoe43N9Rt4Mnzvg9Q== X-Received: by 2002:a9d:6e17:: with SMTP id e23mr15768244otr.65.1553720496480; Wed, 27 Mar 2019 14:01:36 -0700 (PDT) MIME-Version: 1.0 References: <85fcd0a81adef25cb60b2e479bbb380e76dbf999.1552665316.git.rgb@redhat.com> In-Reply-To: <85fcd0a81adef25cb60b2e479bbb380e76dbf999.1552665316.git.rgb@redhat.com> From: Ondrej Mosnacek Date: Wed, 27 Mar 2019 22:01:25 +0100 Message-ID: Subject: Re: [PATCH ghak90 V5 04/10] audit: log container info of syscalls To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Paul Moore , Steve Grubb , David Howells , Simo Sorce , Eric Paris , "Serge E. Hallyn" , "Eric W . Biederman" , nhorman@tuxdriver.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 15, 2019 at 7:34 PM Richard Guy Briggs wrote: > Create a new audit record AUDIT_CONTAINER_ID to document the audit > container identifier of a process if it is present. > > Called from audit_log_exit(), syscalls are covered. > > A sample raw event: > type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid" > type=CWD msg=audit(1519924845.499:257): cwd="/root" > type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 > type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 > type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964 > type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458 > > See: https://github.com/linux-audit/audit-kernel/issues/90 > See: https://github.com/linux-audit/audit-userspace/issues/51 > See: https://github.com/linux-audit/audit-testsuite/issues/64 > See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > Signed-off-by: Richard Guy Briggs > Acked-by: Serge Hallyn > Acked-by: Steve Grubb > Signed-off-by: Richard Guy Briggs Barring one minor nit below, Reviewed-by: Ondrej Mosnacek > --- > include/linux/audit.h | 5 +++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 21 +++++++++++++++++++++ > kernel/auditsc.c | 2 ++ > 4 files changed, 29 insertions(+) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 301337776193..43438192ca2a 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -199,6 +199,8 @@ static inline u64 audit_get_contid(struct task_struct *tsk) > return tsk->audit->contid; > } > > +extern void audit_log_contid(struct audit_context *context, u64 contid); > + > extern u32 audit_enabled; > #else /* CONFIG_AUDIT */ > static inline int audit_alloc(struct task_struct *task) > @@ -265,6 +267,9 @@ static inline u64 audit_get_contid(struct task_struct *tsk) > return AUDIT_CID_UNSET; > } > > +static inline void audit_log_contid(struct audit_context *context, u64 contid) > +{ } > + > #define audit_enabled AUDIT_OFF > #endif /* CONFIG_AUDIT */ > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index d475cf3b4d7f..a6383e28b2c8 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -115,6 +115,7 @@ > #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ > #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ > #define AUDIT_FANOTIFY 1331 /* Fanotify access decision */ > +#define AUDIT_CONTAINER_ID 1332 /* Container ID */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/audit.c b/kernel/audit.c > index b5c702abeb42..8cc0e88d7f2a 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2127,6 +2127,27 @@ void audit_log_session_info(struct audit_buffer *ab) > audit_log_format(ab, "auid=%u ses=%u", auid, sessionid); > } > > +/* > + * audit_log_contid - report container info > + * @context: task or local context for record > + * @contid: container ID to report > + */ > +void audit_log_contid(struct audit_context *context, u64 contid) > +{ > + struct audit_buffer *ab; > + > + if (!audit_contid_valid(contid)) > + return; > + /* Generate AUDIT_CONTAINER_ID record with container ID */ > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER_ID); > + if (!ab) > + return; > + audit_log_format(ab, "contid=%llu", contid); Just realized that you *might* get a compiler/static checker warning since u64 could technically be something else than unsigned long long on some arches... maybe this is not case in the kernel, but might be safer to cast it to unsigned long long before passing to audit_log_format(). Possibly there are similar occurrences in previous (later) patches that I didn't (won't) notice. > + audit_log_end(ab); > + return; > +} > +EXPORT_SYMBOL(audit_log_contid); > + > void audit_log_key(struct audit_buffer *ab, char *key) > { > audit_log_format(ab, " key="); > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 8090eff7868d..a8c8b44b954d 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1548,6 +1548,8 @@ static void audit_log_exit(void) > > audit_log_proctitle(); > > + audit_log_contid(context, audit_get_contid(current)); > + > /* Send end of event record to help user space know we are finished */ > ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); > if (ab) > -- > 1.8.3.1 > -- Ondrej Mosnacek Software Engineer, Security Technologies Red Hat, Inc.