Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp297258pxu; Fri, 23 Oct 2020 00:29:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxeYb54ajEPzgRPsS5WpYAJtqrFkv3KsFgLpmDz/ZANbK/eMG5MNI/1aVin0k0/dj8YXbov X-Received: by 2002:a50:d2d3:: with SMTP id q19mr979687edg.22.1603438188595; Fri, 23 Oct 2020 00:29:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603438177; cv=none; d=google.com; s=arc-20160816; b=k2Hjee8ffnj+RLVjaCmxjb2MHYqsccQxhneRftsr3UbB6+8mnsI03S8sH+c7V9yNGk WO2ezOBroOcpsVM1EARvpRBUOipmpfZncqW8DysomMxWCXS/OejanwHu0YPO3DRxFzf9 vOBwJM3zVwF5sxJs9ShmvlbBeYu/cB7WvkUbz5eX8xb81sg428gKvvWE90pjDHyRXa4t WM20RdnJG6BKuY4qdmdSdGUxc/J4ZDwezHambRshQDXlWGKCd4k4yHO6jzlVSYE6de0+ 24OmwkJqHi62T5DI401j6ef5OPw/LEXXE+5rmrYoiU3sb02nThjiwjKPQXxFRLcsrO9P sq9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=aoxn8RZh5GwLX2OTvbY4F3fYrAFarAXAp+zyIW9UVc0=; b=nqi2QIbSSK8uWCtSmOYsh2dP5fDEKl+BmXn7fEzAmz4akbTCzypJomGW4VEfgFBJf2 TxQHQ9tWC1W/Tn1tAwqOw6Mr2VbwqxIlEGyypUOytds7hJ77RIFAk9Xqm8Y1dUY+D2aS nPcnbLMtqoOcCjFI3rguMOWJQp4gsHyUnFywxYFfd5hB8QfGCMSSpDhqG3n01suJV78+ KaylwVk2P1b4GooeRo9e/shu1FB1X9aUgaqXf5eod3Y0otNgZvxdKOuRpHih/VpHakmD 0ftPP9pRIWQAtXsspWnsKCCB/VOKcfvK7HXa2YouZ7HO6zetl0ZE5ibsf20Pwc4V0KlZ mgiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=bWPmglrU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 92si226167edp.262.2020.10.23.00.29.13; Fri, 23 Oct 2020 00:29:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=bWPmglrU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S374297AbgJWBVp (ORCPT + 99 others); Thu, 22 Oct 2020 21:21:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S374289AbgJWBVp (ORCPT ); Thu, 22 Oct 2020 21:21:45 -0400 Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC580C0613D5 for ; Thu, 22 Oct 2020 18:21:43 -0700 (PDT) Received: by mail-ej1-x641.google.com with SMTP id qh17so72698ejb.6 for ; Thu, 22 Oct 2020 18:21:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=aoxn8RZh5GwLX2OTvbY4F3fYrAFarAXAp+zyIW9UVc0=; b=bWPmglrUmUWeh/iJB7I1EBJU+TdBzoO9kJeAZdj0Mj7vyjbv9DyccX5Lt+lUFusiZw HWpqEJDPjpY3Pe66lK3CAkBsqcDG1SzJroJ/TrLWOH68lnkP3CHZa96739LkvB31F0p2 UKaI6v6FS6fL3igL3m2SvuN8QdEUHemh+0A+WspZbjpxU8NlNH1xji6y4zYUku/PAtIG VlsE4Z2Vr2DxmyRQoiSH2mQuJn6k9T8lU/ZuPxibEI768Vlsje7dAVkK4A+TJ9+adHG8 +FBZ1+GlJF4yKcmomBogElmJ3P88v835veafFeBLgDo8obHbAFEfQjagR4wLw4RxeZia Dx4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=aoxn8RZh5GwLX2OTvbY4F3fYrAFarAXAp+zyIW9UVc0=; b=epbQVA7dB5OiTIIdYMHgS+osCIxJvGfKus4dPu3CI2H6aNqePTXt91c54FKrGpg316 /v94rkAL1RVfpqqTQtlADzJCFQbH0uliy7ctXfRzeMQ07YxHNH30F9kTTv0ufdnUBkdI Uj1hLsuWG9DE9lTyUiAfd46Hl41bTMxlmXD7jy0xAMKNjTxh2Sqge6mArJIqhjUX5Vuj iKDovboPKQuZc9uv78SM+NH+U4Rf0+UOreu9v+IsF5n2hWlRhVCBC5iZDhcJTdaxZndw 7bfgIHW6h6G93+7wUjz7AQMGYk79/3mkY711w6E/WLP7QUIlOyzQmg02dMjEc3iVQKsB lkJQ== X-Gm-Message-State: AOAM531dhSks3YuIlHgOFzj7AcLEDpEkQapLOQgL44Mu5d3byIZf1xED 3PCIcOQ66P26syktD/qus7xh0+R3OjQ+yhlRubhn X-Received: by 2002:a17:906:25cc:: with SMTP id n12mr4813564ejb.488.1603416102090; Thu, 22 Oct 2020 18:21:42 -0700 (PDT) MIME-Version: 1.0 References: <6e2e10432e1400f747918eeb93bf45029de2aa6c.1593198710.git.rgb@redhat.com> <20200729194058.kcbsqjhzunjpipgm@madcap2.tricolour.ca> <20201002195231.GH2882171@madcap2.tricolour.ca> <20201021163926.GA3929765@madcap2.tricolour.ca> In-Reply-To: <20201021163926.GA3929765@madcap2.tricolour.ca> From: Paul Moore Date: Thu, 22 Oct 2020 21:21:31 -0400 Message-ID: Subject: Re: [PATCH ghak90 V9 05/13] audit: log container info of syscalls To: Richard Guy Briggs Cc: nhorman@tuxdriver.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, LKML , dhowells@redhat.com, Linux-Audit Mailing List , netfilter-devel@vger.kernel.org, ebiederm@xmission.com, simo@redhat.com, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, Eric Paris , mpatel@redhat.com, Serge Hallyn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 21, 2020 at 12:39 PM Richard Guy Briggs wrote: > Here is an exmple I was able to generate after updating the testsuite > script to include a signalling example of a nested audit container > identifier: > > ---- > type=3DPROCTITLE msg=3Daudit(2020-10-21 10:31:16.655:6731) : proctitle=3D= /usr/bin/perl -w containerid/test > type=3DCONTAINER_ID msg=3Daudit(2020-10-21 10:31:16.655:6731) : contid=3D= 7129731255799087104^3333941723245477888 > type=3DOBJ_PID msg=3Daudit(2020-10-21 10:31:16.655:6731) : opid=3D115583 = oauid=3Droot ouid=3Droot oses=3D1 obj=3Dunconfined_u:unconfined_r:unconfine= d_t:s0-s0:c0.c1023 ocomm=3Dperl > type=3DCONTAINER_ID msg=3Daudit(2020-10-21 10:31:16.655:6731) : contid=3D= 3333941723245477888 > type=3DOBJ_PID msg=3Daudit(2020-10-21 10:31:16.655:6731) : opid=3D115580 = oauid=3Droot ouid=3Droot oses=3D1 obj=3Dunconfined_u:unconfined_r:unconfine= d_t:s0-s0:c0.c1023 ocomm=3Dperl > type=3DCONTAINER_ID msg=3Daudit(2020-10-21 10:31:16.655:6731) : contid=3D= 8098399240850112512^3333941723245477888 > type=3DOBJ_PID msg=3Daudit(2020-10-21 10:31:16.655:6731) : opid=3D115582 = oauid=3Droot ouid=3Droot oses=3D1 obj=3Dunconfined_u:unconfined_r:unconfine= d_t:s0-s0:c0.c1023 ocomm=3Dperl > type=3DSYSCALL msg=3Daudit(2020-10-21 10:31:16.655:6731) : arch=3Dx86_64 = syscall=3Dkill success=3Dyes exit=3D0 a0=3D0xfffe3c84 a1=3DSIGTERM a2=3D0x4= d524554 a3=3D0x0 items=3D0 ppid=3D115564 pid=3D115567 auid=3Droot uid=3Droo= t gid=3Droot euid=3Droot suid=3Droot fsuid=3Droot egid=3Droot sgid=3Droot f= sgid=3Droot tty=3DttyS0 ses=3D1 comm=3Dperl exe=3D/usr/bin/perl subj=3Dunco= nfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=3Dtestsuite-160329067= 1-AcLtUulY > ---- > > There are three CONTAINER_ID records which need some way of associating w= ith OBJ_PID records. An additional CONTAINER_ID record would be present if= the killing process itself had an audit container identifier. I think the= most obvious way to connect them is with a pid=3D field in the CONTAINER_I= D record. Using a "pid=3D" field as a way to link CONTAINER_ID records to other records raises a few questions. What happens if/when we need to represent those PIDs in the context of a namespace? Are we ever going to need to link to records which don't have a "pid=3D" field? I haven't done the homework to know if either of these are a concern right now, but I worry that this might become a problem in the future. The idea of using something like "item=3D" is interesting. As you mention, the "item=3D" field does present some overlap problems with the PATH record, but perhaps we can do something similar. What if we added a "record=3D" (or similar, I'm not worried about names at this point) to each record, reset to 0/1 at the start of each event, and when we needed to link records somehow we could add a "related=3D1,..,N" field. This would potentially be useful beyond just the audit container ID work. --=20 paul moore www.paul-moore.com