Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp843509ybi; Thu, 30 May 2019 07:36:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqy7YY5+1Zv7HMGmVBNITSWifnMgo0wGnDyeVj4GEYOeOOPGTlzw8myAmYaB8bgbH6UFl6Q4 X-Received: by 2002:a17:902:8c94:: with SMTP id t20mr3875219plo.141.1559226971676; Thu, 30 May 2019 07:36:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559226971; cv=none; d=google.com; s=arc-20160816; b=Dxji0X+TEuiecRjgjxRwIyh2vw5mI/yC+g5JtiOLy/H9xvPjHhVO0l5ajc3J5yoyJk eVaGhf+35WDhqUC4D9JU06sajt4pHWCdc7guu4keXJSdmqr+ndhAlwbvPCeD+Wf3Q95v klVLANYdc8n0xN+Y66VK9y7dij9FIOZGwPHCQgX2QluEpmAaL1M01/HgB3yOwf1Oakkq PCJlDOZJsYgxhS8yj3OT2ALKAWPn6GaiLllhqY0yPOG9DZx9Qgim8NZ8bS4fuXoHw5Bb ukBhwcICHkEkvMghDFC32ADzEE5OU9VckPEr7XT2r+z1dhvUlLHdCUtzvSHt6qlJLeQk CaAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=LvgFttjwD8tpRb4Jny1liBYRgYtyF5gETJat0Y6PZj0=; b=P9Ty8VPRGyVr8IAtbrivtCsod5w5QIBUYT72/RU43Xg/HXG/l4EH8QEMv3UpSdm8zJ xCsgznvNWtqIP0PSF92BIwpWwdEf8kGmOFN8L1J4hrFvdbbaAW0BXRG4g/1dhzYzsZRx ImRmxgxBADWZYCcm26KNjyr+I7ed089NO16un+VvbRKIkkTjAfuJ0eo3E+lq4DUS/2h1 wgACvdHDLZyUGP3j0EfEKD7BrneNijWBNtuaft7kLK5A5jZz1S5Yg0fY43FTvgZL5zHx 8gfUygp/2x9UNF5DbPnsOu4biS/ZTTqC67leQ8o8icMWT+0bVrE3aspSWeMtxOUowPqP 4QuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=q3wQyXDP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 36si3226698pgw.281.2019.05.30.07.35.49; Thu, 30 May 2019 07:36:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=q3wQyXDP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726735AbfE3Oeh (ORCPT + 99 others); Thu, 30 May 2019 10:34:37 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:37448 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726169AbfE3Oeh (ORCPT ); Thu, 30 May 2019 10:34:37 -0400 Received: by mail-lj1-f195.google.com with SMTP id h19so6280489ljj.4 for ; Thu, 30 May 2019 07:34:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=LvgFttjwD8tpRb4Jny1liBYRgYtyF5gETJat0Y6PZj0=; b=q3wQyXDPkal/vbviUhmSsus3N1NxrIZmQgfZu7EO565zOv9aRNeYWHTdfey/MLFGeh u41nVQ/vy4O+cZe9sliGlYVDpuvuuBfZ2UCFXtI6RgTjNhJb7DYbdM2SO/NCpkksto5C roCPGZJWmHUfoDVyKX9dtsxOh+iwtrsqiqc5rvFw9fNoRX0dcZ+TC/YO/PzGI+QdrDDX HQUkFj02JNl0X/EuTmkbm08dH2+9gvOwVC3UaYlZiFTdp76nkd8ih+Y9+XEM3yrDOLVo KPX2U6QS5I6g0EtJnwfrfdorXlRKGU3I1dA/DtKQXbjNEyGsWZvxcbbywx/hN6zbdMyX 2zHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=LvgFttjwD8tpRb4Jny1liBYRgYtyF5gETJat0Y6PZj0=; b=bYpqPUZ3YTZfFEUT5DxBJhqQ818rysU9MnuaR6tLLaW8J0gtpsLkAwcnp7mtBg9+zf P/NuzHdRaqFRQKSc1+8QoDsMdaY4n45JcZGRb062MPSuZ5DBggOXncxXP7+TfgXPOnHt Hhcwlp4HUNjRo5BRIRXNi5dU0tdRO/beqNFTtLYB8IFr/p3857NrVq9khAHkAnxDh/6b PcAZm7cBp+8IG2NtVju/u3M2Gm54+W8//c/9wloZ/GQgNT+5sS3awTDPN+2DGUGEgYD1 e2DRuQtwuGnhtsmBmOuoM2fhp7if7QdMQwc8IK6r4M8CAN6XYfRwI1c6D94nzsAZLg09 iuIg== X-Gm-Message-State: APjAAAUvt9p6cs4jDXw3J3CVnSg0pHzDLdcb71OOmk477v3YZCLRi0Hw uCgWCmxnenw4hKRTu15qbFph5CgWwcdtnbQlMacrOMk= X-Received: by 2002:a2e:900e:: with SMTP id h14mr2326343ljg.77.1559226874389; Thu, 30 May 2019 07:34:34 -0700 (PDT) MIME-Version: 1.0 References: <20190530140849.zdxvlvkefwpngfil@madcap2.tricolour.ca> In-Reply-To: <20190530140849.zdxvlvkefwpngfil@madcap2.tricolour.ca> From: Paul Moore Date: Thu, 30 May 2019 10:34:22 -0400 Message-ID: Subject: Re: [PATCH ghak90 V6 04/10] audit: log container info of syscalls To: Richard Guy Briggs Cc: Ondrej Mosnacek , Neil Horman , linux-api@vger.kernel.org, containers@lists.linux-foundation.org, LKML , David Howells , Linux-Audit Mailing List , netfilter-devel@vger.kernel.org, "Eric W . Biederman" , Simo Sorce , netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, Eric Paris , Serge Hallyn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 30, 2019 at 10:09 AM Richard Guy Briggs wrote: > > On 2019-05-30 15:08, Ondrej Mosnacek wrote: > > On Thu, May 30, 2019 at 12:16 AM Paul Moore wrote= : > > > On Mon, Apr 8, 2019 at 11:40 PM Richard Guy Briggs w= rote: > > > > > > > > Create a new audit record AUDIT_CONTAINER_ID to document the audit > > > > container identifier of a process if it is present. > > > > > > > > Called from audit_log_exit(), syscalls are covered. > > > > > > > > A sample raw event: > > > > type=3DSYSCALL msg=3Daudit(1519924845.499:257): arch=3Dc000003e sys= call=3D257 success=3Dyes exit=3D3 a0=3Dffffff9c a1=3D56374e1cef30 a2=3D241 = a3=3D1b6 items=3D2 ppid=3D606 pid=3D635 auid=3D0 uid=3D0 gid=3D0 euid=3D0 s= uid=3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts0 ses=3D3 comm=3D"ba= sh" exe=3D"/usr/bin/bash" subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-= s0:c0.c1023 key=3D"tmpcontainerid" > > > > type=3DCWD msg=3Daudit(1519924845.499:257): cwd=3D"/root" > > > > type=3DPATH msg=3Daudit(1519924845.499:257): item=3D0 name=3D"/tmp/= " inode=3D13863 dev=3D00:27 mode=3D041777 ouid=3D0 ogid=3D0 rdev=3D00:00 ob= j=3Dsystem_u:object_r:tmp_t:s0 nametype=3D PARENT cap_fp=3D0 cap_fi=3D0 cap= _fe=3D0 cap_fver=3D0 > > > > type=3DPATH msg=3Daudit(1519924845.499:257): item=3D1 name=3D"/tmp/= tmpcontainerid" inode=3D17729 dev=3D00:27 mode=3D0100644 ouid=3D0 ogid=3D0 = rdev=3D00:00 obj=3Dunconfined_u:object_r:user_tmp_t:s0 nametype=3DCREATE ca= p_fp=3D0 cap_fi=3D0 cap_fe=3D0 cap_fver=3D0 > > > > type=3DPROCTITLE msg=3Daudit(1519924845.499:257): proctitle=3D62617= 368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E= 7461696E65726964 > > > > type=3DCONTAINER_ID msg=3Daudit(1519924845.499:257): contid=3D12345= 8 > > > > > > > > Please see the github audit kernel issue for the main feature: > > > > https://github.com/linux-audit/audit-kernel/issues/90 > > > > Please see the github audit userspace issue for supporting addition= s: > > > > https://github.com/linux-audit/audit-userspace/issues/51 > > > > Please see the github audit testsuiite issue for the test case: > > > > https://github.com/linux-audit/audit-testsuite/issues/64 > > > > Please see the github audit wiki for the feature overview: > > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Contai= ner-ID > > > > Signed-off-by: Richard Guy Briggs > > > > Acked-by: Serge Hallyn > > > > Acked-by: Steve Grubb > > > > Acked-by: Neil Horman > > > > Reviewed-by: Ondrej Mosnacek > > > > --- > > > > include/linux/audit.h | 5 +++++ > > > > include/uapi/linux/audit.h | 1 + > > > > kernel/audit.c | 20 ++++++++++++++++++++ > > > > kernel/auditsc.c | 20 ++++++++++++++------ > > > > 4 files changed, 40 insertions(+), 6 deletions(-) > > > > > > ... > > > > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > > > index 182b0f2c183d..3e0af53f3c4d 100644 > > > > --- a/kernel/audit.c > > > > +++ b/kernel/audit.c > > > > @@ -2127,6 +2127,26 @@ void audit_log_session_info(struct audit_buf= fer *ab) > > > > audit_log_format(ab, "auid=3D%u ses=3D%u", auid, sessionid)= ; > > > > } > > > > > > > > +/* > > > > + * audit_log_contid - report container info > > > > + * @context: task or local context for record > > > > + * @contid: container ID to report > > > > + */ > > > > +void audit_log_contid(struct audit_context *context, u64 contid) > > > > +{ > > > > + struct audit_buffer *ab; > > > > + > > > > + if (!audit_contid_valid(contid)) > > > > + return; > > > > + /* Generate AUDIT_CONTAINER_ID record with container ID */ > > > > + ab =3D audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER= _ID); > > > > + if (!ab) > > > > + return; > > > > + audit_log_format(ab, "contid=3D%llu", (unsigned long long)c= ontid); > > > > > > We have a consistency problem regarding how to output the u64 contid > > > values; this function uses an explicit cast, others do not. Accordin= g > > > to Documentation/core-api/printk-formats.rst the recommendation for > > > u64 is %llu (or %llx, if you want hex). Looking quickly through the > > > printk code this appears to still be correct. I suggest we get rid o= f > > > the cast (like it was in v5). > > > > IIRC it was me who suggested to add the casts. I didn't realize that > > the kernel actually guarantees that "%llu" will always work with u64. > > Taking that into account I rescind my request to add the cast. Sorry > > for the false alarm. > > Yeah, just remove the cast. Okay, this is trivial enough I'll take care of this during the merge with a note. --=20 paul moore www.paul-moore.com