Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp258904ybp; Thu, 10 Oct 2019 17:40:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqztItEtXLf4mIgw19iV/PrJ6mssfSEqIXamaHl9NDCPhWxSFMBMBkG+dYU2N9171PlOO6A/ X-Received: by 2002:a17:906:af8e:: with SMTP id mj14mr11379431ejb.45.1570754418209; Thu, 10 Oct 2019 17:40:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570754418; cv=none; d=google.com; s=arc-20160816; b=poeQ9dkzxbyj2/RAUSdVh4IjLCNlSVT6HC4eMilbWzL4QV8vOAII0OpsMGLdkqt+6c 109I9PyGRLivHodbJShLWs12EXUpeIeaSSeKldwxJABwl4SM23ZJzswL/YV8SiTpnHAM QAAKb8QHvE3jEhReenqmj5ftZ0qUcu32JEusYsZjOchtbPnrVr9MsPO48uCa939P+UG1 GcpBc2aJM1aV/eXIrPec1QeDacZw1JJkgXcaxDGB31W1Dbd5ouezKMQKsmahp80bfYjQ YwHqqxz4rlJLWauKuNDn2fWaS5wP+hNm0TqcUD4jlC6nBT8SGdCFEqR6xkCpuH/pSshH 8HTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Pm/TZSzXy437wu+vyWK0Qjm9IhWSg3vJAsAFSwxSnrk=; b=RPByy/Ye+Vy4Dfa1Ho1ISjg6ywU1esnHY+ejWdTBZGt1VF1n+ZeMFZ584v8XCpngZW zE6bJCA97EM8KqZvRnZEo05t+9xZ7rEoF9VZ9/g7dcavJBeOjtjJ0bsNZQPtcSP78ePO aGO4yKWbxzPiIxDX+HumgO4HVitovrTVD6Y3a2I75cOIDsdQyVoCROvc4liqWv7MGQCK XPQgNv8qf157eXDhmLUjshcOqUtkUMlMpkAfduPZFYKCR0StPoPYQM9WmCh8LF11pHV7 dVFqtLQKiNvVaIWag4peIwesGWaRtyoBWYrAEOre2g0uCkOWvUtb/ntXxCkPLtsbOHuJ SFQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=1KcesDff; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v2si4275921eju.3.2019.10.10.17.39.54; Thu, 10 Oct 2019 17:40:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=1KcesDff; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727813AbfJKAjD (ORCPT + 99 others); Thu, 10 Oct 2019 20:39:03 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:40784 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727793AbfJKAjC (ORCPT ); Thu, 10 Oct 2019 20:39:02 -0400 Received: by mail-lf1-f66.google.com with SMTP id d17so5737327lfa.7 for ; Thu, 10 Oct 2019 17:38:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Pm/TZSzXy437wu+vyWK0Qjm9IhWSg3vJAsAFSwxSnrk=; b=1KcesDffcGnKA4GAzrknPzqvQrPTCqS9t2/rckO1iG3HulAZG3zPkLOIB4rv9R2qm1 cYK5lMtArrFF57CeA2o5TZF9NYI1WYOiaZQ8jRjc6DGgrpvU1cKMJEQGMnUwzFG9eOQL QubM+E7t070B7K+SENHzNKM83N5bfzYlNct+yvWYwNb7ONj4jpPp1fB2aVwMmRZJOuCJ JLWOCEG9U1Az0cT3rZOmZLSFoxZqFlXSNi632LpISf8g5LANO33I819fqUC4Y3msBH3t Az/5MQmT+V6oQZhDIEF/9UeUDII17W0qJJhQ0RrtmnQv3E6NBA1WraU96da6QpQto2Zu zaKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Pm/TZSzXy437wu+vyWK0Qjm9IhWSg3vJAsAFSwxSnrk=; b=VxFh28Q5gdBtUnr9sOclIRufZbr8qzPuRuiIW9NXqxk8FYijAGJOkmG/BoKYd9K0zy TGGVb8IJX9ljQ+K64fwZmO3e4C/yoxwubQowSUvQYlbbKbEnRT05tNQ5coLKVp60MyTv tS52g8U6pqgo4dVW8FwvT6YkPRhfurC8GKa7C/oeVg+Tk+hq75uEadFigBs66HMBlUzE LZW71eFtHRKf6F26Y+f0RgjPZAH1G0/Tk7Ohd8N0oT15U2TQPSoTFNWMEdFEqHslDlES iUKnqQWdy3adsadWQKqxr4PpSPOMRXvMMq8Xd/dqbXOVNUxNV9cqwjW2ytRoTc9yN8OD fIJQ== X-Gm-Message-State: APjAAAVagr3aMmW8TQAbMv4astJUToHlvFnamCWVATnpZE8oZOLo6n9x D4ZW9bKW0v7mj2XyHx0tzfUWssp8htWTlnLnDixb X-Received: by 2002:ac2:5542:: with SMTP id l2mr7186058lfk.119.1570754338909; Thu, 10 Oct 2019 17:38:58 -0700 (PDT) MIME-Version: 1.0 References: <71b75f54342f32f176c2b6d94584f2a666964e68.1568834524.git.rgb@redhat.com> In-Reply-To: <71b75f54342f32f176c2b6d94584f2a666964e68.1568834524.git.rgb@redhat.com> From: Paul Moore Date: Thu, 10 Oct 2019 20:38:47 -0400 Message-ID: Subject: Re: [PATCH ghak90 V7 05/21] audit: log drop of contid on exit of last task To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 18, 2019 at 9:24 PM Richard Guy Briggs wrote: > Since we are tracking the life of each audit container indentifier, we > can match the creation event with the destruction event. Log the > destruction of the audit container identifier when the last process in > that container exits. > > Signed-off-by: Richard Guy Briggs > --- > kernel/audit.c | 32 ++++++++++++++++++++++++++++++++ > kernel/audit.h | 2 ++ > kernel/auditsc.c | 2 ++ > 3 files changed, 36 insertions(+) > > diff --git a/kernel/audit.c b/kernel/audit.c > index ea0899130cc1..53d13d638c63 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2503,6 +2503,38 @@ int audit_set_contid(struct task_struct *task, u64 contid) > return rc; > } > > +void audit_log_container_drop(void) > +{ > + struct audit_buffer *ab; > + uid_t uid; > + struct tty_struct *tty; > + char comm[sizeof(current->comm)]; > + > + if (!current->audit || !current->audit->cont || > + refcount_read(¤t->audit->cont->refcount) > 1) > + return; > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONTAINER_OP); > + if (!ab) > + return; > + > + uid = from_kuid(&init_user_ns, task_uid(current)); > + tty = audit_get_tty(); > + audit_log_format(ab, > + "op=drop opid=%d contid=%llu old-contid=%llu pid=%d uid=%u auid=%u tty=%s ses=%u", > + task_tgid_nr(current), audit_get_contid(current), > + audit_get_contid(current), task_tgid_nr(current), uid, > + from_kuid(&init_user_ns, audit_get_loginuid(current)), > + tty ? tty_name(tty) : "(none)", > + audit_get_sessionid(current)); > + audit_put_tty(tty); > + audit_log_task_context(ab); > + audit_log_format(ab, " comm="); > + audit_log_untrustedstring(ab, get_task_comm(comm, current)); > + audit_log_d_path_exe(ab, current->mm); > + audit_log_format(ab, " res=1"); > + audit_log_end(ab); > +} Why can't we just do this in audit_cont_put()? Is it because we call audit_cont_put() in the new audit_free() function? What if we were to do it in __audit_free()/audit_free_syscall()? -- paul moore www.paul-moore.com