Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1441800ybt; Sat, 27 Jun 2020 08:21:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxx7Qq7wILYWYfoCOEh6DoGgOOwtlV+SAydLgzkkaXFi+s5eyrLUR6MRXRad2IlCJjKS+zn X-Received: by 2002:a17:906:f104:: with SMTP id gv4mr7300382ejb.485.1593271314520; Sat, 27 Jun 2020 08:21:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593271314; cv=none; d=google.com; s=arc-20160816; b=VdfBbZ7aepfLCM3SSM8lffbh71+8+mb2yFZPjBkjIvwPChBVA8nz5FFBwaIs0Q/K7w 28BR7ktzntEXXANKwaGAuYzncKpHVyVdMUMG5WwIAlIyjPmcqb2FIrX6vETdVYEMg0GH fShLesUuyC/sW4Prbme55pfugLOUq/KlpXM/MOgoLkkFpIGpnM+7D7n95rQFGTFkU6Qo nQROWTcSNq7iExI1jasfV0VWWNBwmi9AvujRf1X1T1ocsWU8wHxolOJZuXxz2ZrXXEEE nviejFQ8POCuTQ63gMLXznSVFKbR0a4dm2rRXTkKO9AvdgdId2Dcv1UeNF/OA75ty1/O i3ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=fIUF17c3s0+HpUxdfK71q/JxY3l4f3zvTo5H1OZliQo=; b=w9WhPVjWP82QfX0+wkSN0G0LU1QNLVPqvfLckW7ANH2+njfha6I6sdDTf99oADVEYd p6IOL6QwaefTSQj3tPbFlv7NTWvP3eIeUkrIicTjqS1xObF8n9f3v/TjSlOljOqK+VH+ jtSYCEKX4PW2x2cAhNE+ooEBKTIRBazBWOY3uvFT74wYgbr5UouHTcM7pH+C7wnwyLpp swSW7tffkYmUqa0PBLqo6HYNvShjYpSNvSqjJFT2Oat4t6QU+jIJhFrbtYgR49iVZfHN X07IgX667YgdVBTGf5lcR27sbSLfJJ0wPD5FFTMH4SmP901TmfEDxzvgq6EZdkoZELwA tAEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZzkbsAVM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i19si18903675ejd.479.2020.06.27.08.21.31; Sat, 27 Jun 2020 08:21:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ZzkbsAVM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726695AbgF0PTD (ORCPT + 99 others); Sat, 27 Jun 2020 11:19:03 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:40677 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726094AbgF0PTB (ORCPT ); Sat, 27 Jun 2020 11:19:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1593271140; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=fIUF17c3s0+HpUxdfK71q/JxY3l4f3zvTo5H1OZliQo=; b=ZzkbsAVMyDQMVizo58meR7VmfFvfU+gdgaQydJz5aBG1Si1egaTie+7XoWakl1qeBUJceN pKZbDiwlcfGssWt2NQa5oKlm/T3uwbGmrav2Lv1NArL4EUCp8lRpy0X1o79v4h7auOdj33 MWCIYc0RAybpnL/kYZlLGTWsfOpCtb0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-452-NzuvVI63OK-4qX3w3Gcrig-1; Sat, 27 Jun 2020 11:18:57 -0400 X-MC-Unique: NzuvVI63OK-4qX3w3Gcrig-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8D426107ACCA; Sat, 27 Jun 2020 15:18:56 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTP id ED56F60BF4; Sat, 27 Jun 2020 15:18:50 +0000 (UTC) From: Richard Guy Briggs To: containers@lists.linux-foundation.org, Linux-Audit Mailing List , LKML Cc: eparis@parisplace.org, Steve Grubb , omosnace@redhat.com, Paul Moore , nhorman@redhat.com, dwalsh@redhat.com, mpatel@redhat.com, Richard Guy Briggs Subject: [PATCH ghau51/ghau40 v9 03/11] auditctl: add support for AUDIT_CONTID filter Date: Sat, 27 Jun 2020 11:18:03 -0400 Message-Id: <1593271091-30188-4-git-send-email-rgb@redhat.com> In-Reply-To: <1593271091-30188-1-git-send-email-rgb@redhat.com> References: <1593271091-30188-1-git-send-email-rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs --- docs/auditctl.8 | 3 +++ lib/fieldtab.h | 1 + lib/libaudit.c | 35 +++++++++++++++++++++++++++++++++++ lib/libaudit.h | 7 +++++++ src/auditctl-listing.c | 21 +++++++++++++++++++++ 5 files changed, 67 insertions(+) diff --git a/docs/auditctl.8 b/docs/auditctl.8 index 6606077c2c44..daed435f03af 100644 --- a/docs/auditctl.8 +++ b/docs/auditctl.8 @@ -216,6 +216,9 @@ Address family number as found in /usr/include/bits/socket.h. For example, IPv4 .B sessionid User's login session ID .TP +.B contid +Process' audit container ID +.TP .B subj_user Program's SE Linux User .TP diff --git a/lib/fieldtab.h b/lib/fieldtab.h index b597cafb2df8..e0a49d0154bb 100644 --- a/lib/fieldtab.h +++ b/lib/fieldtab.h @@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE, "obj_type" ) _S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" ) _S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" ) _S(AUDIT_SESSIONID, "sessionid" ) +_S(AUDIT_CONTID, "contid" ) _S(AUDIT_DEVMAJOR, "devmajor" ) _S(AUDIT_DEVMINOR, "devminor" ) diff --git a/lib/libaudit.c b/lib/libaudit.c index 864821e5e615..2e7b18a70eb8 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -1763,6 +1763,41 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if (rule->values[rule->field_count] >= AF_MAX) return -EAU_FIELDVALTOOBIG; break; + case AUDIT_CONTID: { + unsigned long long val; + + if ((audit_get_features() & + AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) + return -EAU_FIELDNOSUPPORT; + if (flags != AUDIT_FILTER_EXCLUDE && + flags != AUDIT_FILTER_USER && + flags != AUDIT_FILTER_EXIT) + return -EAU_FIELDNOFILTER; + if (isdigit((char)*(v))) + val = strtoull(v, NULL, 0); + else if (strlen(v) >= 2 && *(v) == '-' && + (isdigit((char)*(v+1)))) + val = strtoll(v, NULL, 0); + else if (strcmp(v, "unset") == 0) + val = ULLONG_MAX; + else + return -EAU_FIELDVALNUM; + if (errno) + return -EAU_FIELDVALNUM; + vlen = sizeof(unsigned long long); + rule->values[rule->field_count] = vlen; + offset = rule->buflen; + rule->buflen += vlen; + *rulep = realloc(rule, sizeof(*rule) + rule->buflen); + if (*rulep == NULL) { + free(rule); + audit_msg(LOG_ERR, "Cannot realloc memory!\n"); + return -3; + } + rule = *rulep; + *(unsigned long long *)(&rule->buf[offset]) = val; + break; + } case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) diff --git a/lib/libaudit.h b/lib/libaudit.h index 9c2f6d4248b0..a249463a0888 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -362,6 +362,9 @@ extern "C" { #ifndef AUDIT_FEATURE_BITMAP_FILTER_FS #define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 #endif +#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID +#define AUDIT_FEATURE_BITMAP_CONTAINERID 0x00000080 +#endif /* Defines for interfield comparison update */ #ifndef AUDIT_OBJ_UID @@ -388,6 +391,10 @@ extern "C" { #define AUDIT_FSTYPE 26 #endif +#ifndef AUDIT_CONTID +#define AUDIT_CONTID 27 +#endif + #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 #endif diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c index 6eb3b56bbc79..652867eb2c49 100644 --- a/src/auditctl-listing.c +++ b/src/auditctl-listing.c @@ -25,6 +25,7 @@ #include #include #include +#include #include "auditctl-listing.h" #include "private.h" #include "auditctl-llist.h" @@ -460,6 +461,26 @@ static void print_rule(const struct audit_rule_data *r) audit_operator_to_symbol(op), audit_fstype_to_name( r->values[i])); + } else if (field == AUDIT_CONTID) { + unsigned long long val; + + if (r->values[i] == sizeof(unsigned long long)) { + val = *(unsigned long long *)(&r->buf[boffset]); + + if (val != ULLONG_MAX) + printf(" -F %s%s%llu", name, + audit_operator_to_symbol(op), + val); + else + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "unset"); + } else { + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "inval"); + } + boffset += r->values[i]; } else { // The default is signed decimal printf(" -F %s%s%d", name, -- 1.8.3.1