Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1371652ybt; Sat, 27 Jun 2020 06:24:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw9iSmpcHku+tqnQe/8aIxnaRAXwrM3UTrOVJBKkAiTKeTHUEXZAqZjTjD6490AMRO6ymHK X-Received: by 2002:a50:ec8f:: with SMTP id e15mr8283069edr.70.1593264277864; Sat, 27 Jun 2020 06:24:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593264277; cv=none; d=google.com; s=arc-20160816; b=It8VfhvKuzBcKSz7zpy+E19TcFDt+dPvyPlZHBnfuHa3SxpQ+LGuF6i24ZHuVlHLHV yM3ZsqT/zILTkaZ/Fuq6pU3socwmsCYBnWYOC2Bh8H21vud3L6cd4fB035U+nijcRUOB gi/Jkm5A4RvYkvCOoo/oRv/OdPDn7Z65B8sTNpOJKRv1b13lM23aXvdoT8V2qIxduZEc 8s3Rwwr4u9HL9cGS6+csF6+OdpL3A3W5mNWHo/gqhtLus1Wj+XdTTSMmkTJP5olyXvbQ vDPtVdq5usWzyuOUXHflC3JHpEOzaQW6J502xpid2c3F9OuzAqUeag3F9eBz9rmO82+c 7HXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=5daVVav2vz0gUbxpNuM5DjXpFZAkaJD7gM4Gto+ga3s=; b=wWdQwoihSVauzbpin9Z7nhXNHPSWpJuQCBwYZ2ocWA7c1B6uQUA1kGCkvE54WF9mBV OjqQH8fHTGld2P3cXK+kOMZFYrGp1lmEFW9kYUzgm7c8YmkSZh6IZMG5s58p4Mj48d3m mjiaaL5cXT28PhkuDFQ58DEbO+GEIzSEIAqETbqWPXXYmmMBbiPuEArXYJ+WkDTIJj/+ 6zHftuMEA5MA9o+eomLS8IKPBQSN7vXEqRQoNN8NfmW8jVNbMQqT24ao/0VujaP/pGPS rzXddlI2BUy1oxQM3PjN/UvZQUvWTILY/ndBiBLfxyH5GBbXsnyVnOJ5q7DsSJKqoj+w kWTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=PHCaj1mq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id co3si9535075edb.134.2020.06.27.06.24.15; Sat, 27 Jun 2020 06:24:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=PHCaj1mq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726731AbgF0NWV (ORCPT + 99 others); Sat, 27 Jun 2020 09:22:21 -0400 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:37648 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726714AbgF0NWS (ORCPT ); Sat, 27 Jun 2020 09:22:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1593264136; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:in-reply-to: references:references:references; bh=5daVVav2vz0gUbxpNuM5DjXpFZAkaJD7gM4Gto+ga3s=; b=PHCaj1mq4aErmRhB0fhek8Vu/dEueQme4ULhs1yLmUYGwNldpiKuLsbW5u6ophQPwsdR6x 8QSHKTJM/YV0h4am/Z6FhHvC4ULLEmyzA6uLGUHXw13IL7dqNDxKxMGAMe4os8/L0GNHOE aPs37MR1AsvioTV8UA6N3eDFrXfPy4k= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-370-8o6uA2f7NH-45B6dJFcCKA-1; Sat, 27 Jun 2020 09:22:14 -0400 X-MC-Unique: 8o6uA2f7NH-45B6dJFcCKA-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1F10D8015FD; Sat, 27 Jun 2020 13:22:13 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7FAC57932A; Sat, 27 Jun 2020 13:22:08 +0000 (UTC) From: Richard Guy Briggs To: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Cc: Paul Moore , sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com, nhorman@tuxdriver.com, dwalsh@redhat.com, mpatel@redhat.com, Richard Guy Briggs Subject: [PATCH ghak90 V9 04/13] audit: log drop of contid on exit of last task Date: Sat, 27 Jun 2020 09:20:37 -0400 Message-Id: In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since we are tracking the life of each audit container indentifier, we can match the creation event with the destruction event. Log the destruction of the audit container identifier when the last process in that container exits. Signed-off-by: Richard Guy Briggs --- kernel/audit.c | 20 ++++++++++++++++++++ kernel/audit.h | 2 ++ kernel/auditsc.c | 2 ++ 3 files changed, 24 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 6d387793f702..9e0b38ce1ead 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2558,6 +2558,26 @@ int audit_set_contid(struct task_struct *task, u64 contid) return rc; } +void audit_log_container_drop(void) +{ + struct audit_buffer *ab; + struct audit_contobj *cont; + + rcu_read_lock(); + cont = _audit_contobj_get(current); + _audit_contobj_put(cont); + if (!cont || refcount_read(&cont->refcount) > 1) + goto out; + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONTAINER_OP); + if (!ab) + goto out; + audit_log_format(ab, "op=drop opid=%d contid=%llu old-contid=%llu", + task_tgid_nr(current), cont->id, cont->id); + audit_log_end(ab); +out: + rcu_read_unlock(); +} + /** * audit_log_end - end one audit record * @ab: the audit_buffer diff --git a/kernel/audit.h b/kernel/audit.h index 182fc76ea276..d07093903008 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -254,6 +254,8 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, extern struct tty_struct *audit_get_tty(void); extern void audit_put_tty(struct tty_struct *tty); +extern void audit_log_container_drop(void); + /* audit watch/mark/tree functions */ #ifdef CONFIG_AUDITSYSCALL extern unsigned int audit_serial(void); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index f00c1da587ea..f03d3eb0752c 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1575,6 +1575,8 @@ static void audit_log_exit(void) audit_log_proctitle(); + audit_log_container_drop(); + /* Send end of event record to help user space know we are finished */ ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); if (ab) -- 1.8.3.1