Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp342529ybe; Wed, 18 Sep 2019 18:31:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqz2/sIrgjxtJhiL+KD2BPMNhozPseCcRfBpQnZLLyEZ8L9M1CxsuBO42v5ZkYLcgSDeSe09 X-Received: by 2002:a50:f04e:: with SMTP id u14mr13596372edl.247.1568856704971; Wed, 18 Sep 2019 18:31:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568856704; cv=none; d=google.com; s=arc-20160816; b=TtQy1ckZFIw5fnLVhyOWP//5CBoAM64mRjCGOuXbbujuTp2l0LwPI9bG0MoB9mRqFV tgaV597D+yurLy82irCyluOPYRUf8y3FXYXFltlMp0Xz1zX08BAqeDUMMu4yI7pRKqrC yQW7yBsgPWUeDTsLEUnJIdDrFS12t+FStl/H3c9w5VW4V+Xx0o4OaJ2+DEL1ModUFtCu onjXtndVutdCGRSbFfJNh8DhChRrsOz104EQHfCHqz8SfhgupTaLmQLKAmQY9q9s5ym5 aw/CSVLBHocCuormYXMMSEZDrpH1OevkY2rL0bW8RuDu1LdR32W/Q4ZnoXUk1YrJHivH 0riQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from; bh=J7FENGLC2R0tuNO+lobMhGGzBalld9N3uklPkuFuU94=; b=tOZGfufG6LwX6yhdnS7WmQjwHi3k2huCHUCbURxLNxTvWCyQgHS9CqyRXlEdokb4QK fGhUkOoEMEUIXF3OITlCMcBj9im+4XPQq6eB7H7xEg4xuV71GoDmA9SQNNm5LgvNclJF fM2vXuujBor1o5JSi92wO0FDo55L3YBNETjb/2LZOyTgCEdXFLQnKuHgWKElXqnU5o+R v1z2f59lD/nNTPfbphEAKixchbBcBuWxC9LVJbCsGpWaky3Bu6dvqP/224qAc7fbmWdl AwTCn+6CDhlXohRyZpQ9gGCQ/mijiWrB3ND0YLvBg3WBg8DrK6sUIAtZ1WMv1d5imfop Xb1Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j14si4317842eda.181.2019.09.18.18.31.21; Wed, 18 Sep 2019 18:31:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387872AbfISB0m (ORCPT + 99 others); Wed, 18 Sep 2019 21:26:42 -0400 Received: from mx1.redhat.com ([209.132.183.28]:58708 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387790AbfISB0l (ORCPT ); Wed, 18 Sep 2019 21:26:41 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5B3CE800DF1; Thu, 19 Sep 2019 01:26:36 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-19.phx2.redhat.com [10.3.112.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id D7E0C6107E; Thu, 19 Sep 2019 01:26:21 +0000 (UTC) From: Richard Guy Briggs To: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Cc: Paul Moore , sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com, nhorman@tuxdriver.com, dwalsh@redhat.com, mpatel@redhat.com, Richard Guy Briggs Subject: [PATCH ghak90 V7 14/21] audit: contid check descendancy and nesting Date: Wed, 18 Sep 2019 21:22:31 -0400 Message-Id: <16abf1b2aafeb5f1b8dae20b9a4836e54f959ca5.1568834524.git.rgb@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.67]); Thu, 19 Sep 2019 01:26:41 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ?fixup! audit: convert to contid list to check for orch/engine ownership Require the target task to be a descendant of the container orchestrator/engine. You would only change the audit container ID from one set or inherited value to another if you were nesting containers. If changing the contid, the container orchestrator/engine must be a descendant and not same orchestrator as the one that set it so it is not possible to change the contid of another orchestrator's container. Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 62 insertions(+), 8 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 9ce7a1ec7a92..69fe1e9af7cb 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2560,6 +2560,39 @@ static struct task_struct *audit_cont_owner(struct task_struct *tsk) } /* + * task_is_descendant - walk up a process family tree looking for a match + * @parent: the process to compare against while walking up from child + * @child: the process to start from while looking upwards for parent + * + * Returns 1 if child is a descendant of parent, 0 if not. + */ +static int task_is_descendant(struct task_struct *parent, + struct task_struct *child) +{ + int rc = 0; + struct task_struct *walker = child; + + if (!parent || !child) + return 0; + + rcu_read_lock(); + if (!thread_group_leader(parent)) + parent = rcu_dereference(parent->group_leader); + while (walker->pid > 0) { + if (!thread_group_leader(walker)) + walker = rcu_dereference(walker->group_leader); + if (walker == parent) { + rc = 1; + break; + } + walker = rcu_dereference(walker->real_parent); + } + rcu_read_unlock(); + + return rc; +} + +/* * audit_set_contid - set current task's audit contid * @task: target task * @contid: contid value @@ -2587,22 +2620,43 @@ int audit_set_contid(struct task_struct *task, u64 contid) oldcontid = audit_get_contid(task); read_lock(&tasklist_lock); /* Don't allow the contid to be unset */ - if (!audit_contid_valid(contid)) + if (!audit_contid_valid(contid)) { rc = -EINVAL; + goto unlock; + } /* Don't allow the contid to be set to the same value again */ - else if (contid == oldcontid) { + if (contid == oldcontid) { rc = -EADDRINUSE; + goto unlock; + } /* if we don't have caps, reject */ - else if (!capable(CAP_AUDIT_CONTROL)) + if (!capable(CAP_AUDIT_CONTROL)) { rc = -EPERM; - /* if task has children or is not single-threaded, deny */ - else if (!list_empty(&task->children)) + goto unlock; + } + /* if task has children, deny */ + if (!list_empty(&task->children)) { rc = -EBUSY; - else if (!(thread_group_leader(task) && thread_group_empty(task))) + goto unlock; + } + /* if task is not single-threaded, deny */ + if (!(thread_group_leader(task) && thread_group_empty(task))) { rc = -EALREADY; - /* if contid is already set, deny */ - else if (audit_contid_set(task)) + goto unlock; + } + /* if task is not descendant, block */ + if (task == current) { + rc = -EBADSLT; + goto unlock; + } + if (!task_is_descendant(current, task)) { + rc = -EXDEV; + goto unlock; + } + /* only allow contid setting again if nesting */ + if (audit_contid_set(task) && current == audit_cont_owner(task)) rc = -ECHILD; +unlock: read_unlock(&tasklist_lock); if (!rc) { struct audit_cont *oldcont = audit_cont(task); -- 1.8.3.1