Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3835077ybt; Sun, 5 Jul 2020 08:11:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxz++LdXWUkWvOf5U9gfIZTG+eUmZjFRQcX5+0wRmdfsRgauiBYocyYY/EXfyg5/n8Y8JD3 X-Received: by 2002:aa7:d2d2:: with SMTP id k18mr49488007edr.16.1593961912506; Sun, 05 Jul 2020 08:11:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593961912; cv=none; d=google.com; s=arc-20160816; b=hPt4PtjB4Beg80BzYN3X6AGQcctcxOATziLp8XdsMVePoehP5zMWdbWU/kUH+hhrli WucrR3+F/nvoh+4GcDZUNR26y3fg04moqFl+1poOiecTYdDxEerQDP4XDlFBy8xLamGl 7U6l06JaW9ChqSOPWWuACfOr2rZrvczRXFx8plC7kK92ISkjuJMzLRgwjI3/YZ2y4i/m tWZf7C8Q2eg0w9hRJuvECoONkgdGH8zalCE0l4jNvd6zddXMTWDo+3U4YNJRsT0dGtmb rxe0xmNSK56KL9cc87RfXgrUkE4PvFVJxV69f0f3hllbtJGH+opqrneBHwSt7tSsUux+ hN8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=K1GlTWNj6PD7+zx4y3mMqpOJYFliIY0lpaJ9WmnrGsw=; b=f3KIUPp2IfDn2BykTC9zqGIACImw77wCBelwHuDPTZywZQ1GBoM7AkPSowwOABlb5i nL47Vcwv5bjU04dn5g1IUPggwVF1i/tJyLmqHnG40Ud0QTTI2n6a6GTKiPl4254eq8mp +Aakbovt9UJvaTTzt2F5ck3gI/NQv4z/B+R7rrrGUi82hkWjp4N4zrxq6+OV2tv6Jedx HsWYbE5GjfAINfGgCVFga0o7MspYYm6fphukSrT597FnvTxjr1LRDbZ9iz41BBot8cpE JB1scTZ6lhikJFl3Y/So8S7Wlc5IYvGiOgm86BKcXf2Xjwhusyu0AK6MfjeE0DBlLrZW H5BQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=TVETbdaA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bd16si11107110edb.20.2020.07.05.08.11.29; Sun, 05 Jul 2020 08:11:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=TVETbdaA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727901AbgGEPKw (ORCPT + 99 others); Sun, 5 Jul 2020 11:10:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727114AbgGEPKv (ORCPT ); Sun, 5 Jul 2020 11:10:51 -0400 Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C3B2C08C5DF for ; Sun, 5 Jul 2020 08:10:51 -0700 (PDT) Received: by mail-ed1-x543.google.com with SMTP id d18so26711356edv.6 for ; Sun, 05 Jul 2020 08:10:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=K1GlTWNj6PD7+zx4y3mMqpOJYFliIY0lpaJ9WmnrGsw=; b=TVETbdaAOuRO/jDxFj8DAvTi4hMrVVAbSwyctoP3jVXrzXh1bKEs45zZ1NEwfjHvwC UEx5ozOrG2hv594Z/YGdDPvxx0meRti7o88iXNnyvDq1UY0c749JNlHAxSyfiAZ23/wE /W2cFS8vmpT4joFagloB04C/hRBd6uqj57qzbxByKuMner1Wxk6V+snE08RaMl18Hk9E wL8obwq7ZGvHJcsgoQ5r5pfMFryIvQPDBD8Y335DeqXQuRh3M7tzDCgo/VLtblvRjCZg Y4ych2Z4P7RklJRXwWCUyyyN+2VWAPigZaKS7h/7Ihcy7zVtQbUBvhqezmjiX1U+6sBS s4+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=K1GlTWNj6PD7+zx4y3mMqpOJYFliIY0lpaJ9WmnrGsw=; b=d5pUtqTo8C5e9TbAgkcBaBTM7qNnwOGJ3/EDsXydgPL564eL4NtmRHBicvpq+E0vDN MG9imrbYKJGPIstrDGlLkk3FX3hHttTaoGmsYU0og1sOFrWztSjsSF8OFNHtEpgFwlYR Wty3YGeDPyGLitsi2IJ+KRu44sQ2lzTxh5pAnN1FlMJ73a42BN8BUcG6pHylSbCuXCwU hG3vSml4L5/BrH9jpi1f9bbFsFydkAsSwuQw6O+DpJnr6T+H2aNmpYYcQs5LQg4IELpL 3N4LrOEzADPL6QmJL2RDD8oCMUBKFvExOIMrlP20zzrEokKXnrfnMPIYYkcwkOlaOWtq Kh3g== X-Gm-Message-State: AOAM5307IBkItZbiltk4WiKo1n6rCZu7MfcvCuntXvTtWNvWP3m0UjTr PatFBlxWJ8h95GNKQbxXlB6khVtKrdxKuSKhvfgM X-Received: by 2002:aa7:cd52:: with SMTP id v18mr48740451edw.196.1593961849836; Sun, 05 Jul 2020 08:10:49 -0700 (PDT) MIME-Version: 1.0 References: <6e2e10432e1400f747918eeb93bf45029de2aa6c.1593198710.git.rgb@redhat.com> In-Reply-To: <6e2e10432e1400f747918eeb93bf45029de2aa6c.1593198710.git.rgb@redhat.com> From: Paul Moore Date: Sun, 5 Jul 2020 11:10:38 -0400 Message-ID: Subject: Re: [PATCH ghak90 V9 05/13] audit: log container info of syscalls To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, Ondrej Mosnacek , dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs wrote: > > Create a new audit record AUDIT_CONTAINER_ID to document the audit > container identifier of a process if it is present. > > Called from audit_log_exit(), syscalls are covered. > > Include target_cid references from ptrace and signal. > > A sample raw event: > type=3DSYSCALL msg=3Daudit(1519924845.499:257): arch=3Dc000003e syscall= =3D257 success=3Dyes exit=3D3 a0=3Dffffff9c a1=3D56374e1cef30 a2=3D241 a3= =3D1b6 items=3D2 ppid=3D606 pid=3D635 auid=3D0 uid=3D0 gid=3D0 euid=3D0 sui= d=3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts0 ses=3D3 comm=3D"bash= " exe=3D"/usr/bin/bash" subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0= :c0.c1023 key=3D"tmpcontainerid" > type=3DCWD msg=3Daudit(1519924845.499:257): cwd=3D"/root" > type=3DPATH msg=3Daudit(1519924845.499:257): item=3D0 name=3D"/tmp/" inod= e=3D13863 dev=3D00:27 mode=3D041777 ouid=3D0 ogid=3D0 rdev=3D00:00 obj=3Dsy= stem_u:object_r:tmp_t:s0 nametype=3D PARENT cap_fp=3D0 cap_fi=3D0 cap_fe=3D= 0 cap_fver=3D0 > type=3DPATH msg=3Daudit(1519924845.499:257): item=3D1 name=3D"/tmp/tmpcon= tainerid" inode=3D17729 dev=3D00:27 mode=3D0100644 ouid=3D0 ogid=3D0 rdev= =3D00:00 obj=3Dunconfined_u:object_r:user_tmp_t:s0 nametype=3DCREATE cap_fp= =3D0 cap_fi=3D0 cap_fe=3D0 cap_fver=3D0 > type=3DPROCTITLE msg=3Daudit(1519924845.499:257): proctitle=3D62617368002= D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E746169= 6E65726964 > type=3DCONTAINER_ID msg=3Daudit(1519924845.499:257): contid=3D123458 > > Please see the github audit kernel issue for the main feature: > https://github.com/linux-audit/audit-kernel/issues/90 > Please see the github audit userspace issue for supporting additions: > https://github.com/linux-audit/audit-userspace/issues/51 > Please see the github audit testsuiite issue for the test case: > https://github.com/linux-audit/audit-testsuite/issues/64 > Please see the github audit wiki for the feature overview: > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > Signed-off-by: Richard Guy Briggs > Acked-by: Serge Hallyn > Acked-by: Steve Grubb > Acked-by: Neil Horman > Reviewed-by: Ondrej Mosnacek > --- > include/linux/audit.h | 7 +++++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 25 +++++++++++++++++++++++-- > kernel/audit.h | 4 ++++ > kernel/auditsc.c | 45 +++++++++++++++++++++++++++++++++++++++-= ----- > 5 files changed, 74 insertions(+), 8 deletions(-) ... > diff --git a/kernel/audit.c b/kernel/audit.c > index 9e0b38ce1ead..a09f8f661234 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2211,6 +2211,27 @@ void audit_log_session_info(struct audit_buffer *a= b) > audit_log_format(ab, "auid=3D%u ses=3D%u", auid, sessionid); > } > > +/* > + * audit_log_container_id - report container info > + * @context: task or local context for record > + * @cont: container object to report > + */ > +void audit_log_container_id(struct audit_context *context, > + struct audit_contobj *cont) > +{ > + struct audit_buffer *ab; > + > + if (!cont) > + return; > + /* Generate AUDIT_CONTAINER_ID record with container ID */ > + ab =3D audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER_ID); > + if (!ab) > + return; > + audit_log_format(ab, "contid=3D%llu", contid); Did this patch compile? Where is "contid" coming from? I'm guessing you mean to get it from "cont", but that isn't what appears to be happening; likely a casualty of the object vs token discussion we had during the last review cycle. I'm assuming this code gets modified later in this patchset and you only compiled tested the patchset as a whole. Please make sure the patchset compiles at each patch along the way to applying them all; this helps ensure that git bisect remains useful and it fits better with the general idea that individual patches must have merit on their own. ... and yes, I do check for this when merging patchsets, it isn't just a visual inspection, I compile test each patch. If nothing else, at least this answers the question of if it is worth respinning or not (this alone requires a respin). > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index f03d3eb0752c..9e79645e5c0e 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1458,6 +1466,7 @@ static void audit_log_exit(void) > struct audit_buffer *ab; > struct audit_aux_data *aux; > struct audit_names *n; > + struct audit_contobj *cont; > > context->personality =3D current->personality; > > @@ -1541,7 +1550,7 @@ static void audit_log_exit(void) > for (aux =3D context->aux_pids; aux; aux =3D aux->next) { > struct audit_aux_data_pids *axs =3D (void *)aux; > > - for (i =3D 0; i < axs->pid_count; i++) > + for (i =3D 0; i < axs->pid_count; i++) { > if (audit_log_pid_context(context, axs->target_pi= d[i], > axs->target_auid[i], > axs->target_uid[i], > @@ -1549,14 +1558,20 @@ static void audit_log_exit(void) > axs->target_sid[i], > axs->target_comm[i])) > call_panic =3D 1; > + audit_log_container_id(context, axs->target_cid[i= ]); > + } It might be nice to see an audit event example including the ptrace/signal information. I'm concerned there may be some confusion about associating the different audit container IDs with the correct information in the event. > } > > - if (context->target_pid && > - audit_log_pid_context(context, context->target_pid, > - context->target_auid, context->target_u= id, > - context->target_sessionid, > - context->target_sid, context->target_co= mm)) > + if (context->target_pid) { > + if (audit_log_pid_context(context, context->target_pid, > + context->target_auid, > + context->target_uid, > + context->target_sessionid, > + context->target_sid, > + context->target_comm)) > call_panic =3D 1; > + audit_log_container_id(context, context->target_cid); > + } > > if (context->pwd.dentry && context->pwd.mnt) { > ab =3D audit_log_start(context, GFP_KERNEL, AUDIT_CWD); > @@ -1575,6 +1590,14 @@ static void audit_log_exit(void) > > audit_log_proctitle(); > > + rcu_read_lock(); > + cont =3D _audit_contobj_get(current); > + rcu_read_unlock(); > + audit_log_container_id(context, cont); > + rcu_read_lock(); > + _audit_contobj_put(cont); > + rcu_read_unlock(); Do we need to grab an additional reference for the audit container object here? We don't create any additional references here that persist beyond the lifetime of this function, right? > audit_log_container_drop(); > > /* Send end of event record to help user space know we are finish= ed */ -- paul moore www.paul-moore.com