Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4313718pxu; Mon, 21 Dec 2020 09:17:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJyNrWeEo0xlmrboeNqYrMii85RxBEB85b9M/cV5t6e7nf/FQ7I4ge0O8KaiC7rRky3X16zj X-Received: by 2002:a50:d552:: with SMTP id f18mr12234494edj.168.1608571032026; Mon, 21 Dec 2020 09:17:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608571032; cv=none; d=google.com; s=arc-20160816; b=oGxlE9FhxtsfAbtaxO6TDmXYTh9GArZ2Kl4rNvoE1A28WGkxpR7F8Vab2P9f3Ttmtl VbVYhbkkUCUDzOVSQ6JmG07nHgLh/lHwlmTzpvovUhjvF+W2zlGZWvmQTPfjSfAE+wJt X/+KNdEUcNGDyEOU4uZeajuNYx7xih6PS/DEVv9xKwYBsE1YH+luQIJt1wojey8Qo3jf IWaR1N5GbPCitD90TEwxHOwJUjVRlKR3dz6pUBZEgEiQ2ng2oX88BNMPrdyZcJPHWTg7 2N+26PYmkU8mTxSNNHHDALDVj/bq0x6VlMC2pWv+MDksDosLbDNFy6GIiThzkc+/xhuz hwTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature; bh=4PLySA/Utb3TjgLmccCjgpN+8s305Gw/+Z4Bgz4To/E=; b=u30qhXczkzpYccgPVssQVNMIqeuq+mX3CBGj5wvVUmdlsLRGdR+wv36VXuTPT7/ahm J6QATdYOwCrKlJ/XSJ5MWYwoDxs2wIzhpXjMmL0n9+w5rUZl9SXcAotYCVH8mzOzGMYo +RtN4rCNsCJAAuPUoEyLnZo682VfDj9t92Gs5jfH2La2ANbOu2EX+DdkabFmSxFqijGG 78VISFxHJTQzhTK/phXy5xXHwPFuY/REs1zjYNbJjSN2Vxf0xEtPYfMjnUmV6Rv+RYw/ 6sEDEar0tBNXHHVGjGaAYx/aksbeOJG5Tc/dlNYCjDMFcYyYA1YA2k30IR4NrvqxKpUC dhyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bLIRFIwg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cq10si10449948edb.140.2020.12.21.09.16.49; Mon, 21 Dec 2020 09:17:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bLIRFIwg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725962AbgLURPI (ORCPT + 99 others); Mon, 21 Dec 2020 12:15:08 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:21833 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725780AbgLURPI (ORCPT ); Mon, 21 Dec 2020 12:15:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1608570821; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:in-reply-to:in-reply-to:references:references; bh=4PLySA/Utb3TjgLmccCjgpN+8s305Gw/+Z4Bgz4To/E=; b=bLIRFIwg5GzNK4QLE+ryovTmkoPiL5r9lFXYaqfKfAC6vi+KRdbp5pazGJA2JLKuVJFxv+ SUNp1z2BmQhlw6ceWc8x+5QDQ7F55Px71ZXNX+HSXoIzeJHJ4TIlL2UQgqP0MfZA8Wl/Jb Yi9IYtts9D8axdWM04BL9XRBklgbzIU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-378-SGuY52iQP8GP7KdIMsZh4A-1; Mon, 21 Dec 2020 12:13:39 -0500 X-MC-Unique: SGuY52iQP8GP7KdIMsZh4A-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4552C803620; Mon, 21 Dec 2020 17:13:36 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.9]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8BAF15D9CA; Mon, 21 Dec 2020 17:13:31 +0000 (UTC) From: Richard Guy Briggs To: Linux Containers List , Linux-Audit Mailing List , LKML Cc: Neil Horman , Eric Paris , mpatel@redhat.com, Richard Guy Briggs Subject: [PATCH ghau51/ghau40 v10 03/11] auditctl: add support for AUDIT_CONTID filter Date: Mon, 21 Dec 2020 12:12:43 -0500 Message-Id: <20201221171251.2610890-4-rgb@redhat.com> In-Reply-To: <20201221171251.2610890-1-rgb@redhat.com> References: <20201221171251.2610890-1-rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs --- docs/auditctl.8 | 3 +++ lib/fieldtab.h | 1 + lib/libaudit.c | 35 +++++++++++++++++++++++++++++++++++ lib/libaudit.h | 7 +++++++ src/auditctl-listing.c | 21 +++++++++++++++++++++ 5 files changed, 67 insertions(+) diff --git a/docs/auditctl.8 b/docs/auditctl.8 index 09ed2466c5d4..c6a1a62472fe 100644 --- a/docs/auditctl.8 +++ b/docs/auditctl.8 @@ -223,6 +223,9 @@ Address family number as found in /usr/include/bits/socket.h. For example, IPv4 .B sessionid User's login session ID .TP +.B contid +Process' audit container ID +.TP .B subj_user Program's SE Linux User .TP diff --git a/lib/fieldtab.h b/lib/fieldtab.h index b597cafb2df8..e0a49d0154bb 100644 --- a/lib/fieldtab.h +++ b/lib/fieldtab.h @@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE, "obj_type" ) _S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" ) _S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" ) _S(AUDIT_SESSIONID, "sessionid" ) +_S(AUDIT_CONTID, "contid" ) _S(AUDIT_DEVMAJOR, "devmajor" ) _S(AUDIT_DEVMINOR, "devminor" ) diff --git a/lib/libaudit.c b/lib/libaudit.c index 2c7b16ccf44e..bcef9dc7a2cc 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -1779,6 +1779,41 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair, if (rule->values[rule->field_count] >= AF_MAX) return -EAU_FIELDVALTOOBIG; break; + case AUDIT_CONTID: { + unsigned long long val; + + if ((audit_get_features() & + AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) + return -EAU_FIELDNOSUPPORT; + if (flags != AUDIT_FILTER_EXCLUDE && + flags != AUDIT_FILTER_USER && + flags != AUDIT_FILTER_EXIT) + return -EAU_FIELDNOFILTER; + if (isdigit((char)*(v))) + val = strtoull(v, NULL, 0); + else if (strlen(v) >= 2 && *(v) == '-' && + (isdigit((char)*(v+1)))) + val = strtoll(v, NULL, 0); + else if (strcmp(v, "unset") == 0) + val = ULLONG_MAX; + else + return -EAU_FIELDVALNUM; + if (errno) + return -EAU_FIELDVALNUM; + vlen = sizeof(unsigned long long); + rule->values[rule->field_count] = vlen; + offset = rule->buflen; + rule->buflen += vlen; + *rulep = realloc(rule, sizeof(*rule) + rule->buflen); + if (*rulep == NULL) { + free(rule); + audit_msg(LOG_ERR, "Cannot realloc memory!\n"); + return -3; + } + rule = *rulep; + *(unsigned long long *)(&rule->buf[offset]) = val; + break; + } case AUDIT_DEVMAJOR...AUDIT_INODE: case AUDIT_SUCCESS: if (flags != AUDIT_FILTER_EXIT) diff --git a/lib/libaudit.h b/lib/libaudit.h index 3b0b1e8d0d22..a252813d1f72 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -363,6 +363,9 @@ extern "C" { #ifndef AUDIT_FEATURE_BITMAP_FILTER_FS #define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040 #endif +#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID +#define AUDIT_FEATURE_BITMAP_CONTAINERID 0x00000080 +#endif /* Defines for interfield comparison update */ #ifndef AUDIT_OBJ_UID @@ -389,6 +392,10 @@ extern "C" { #define AUDIT_FSTYPE 26 #endif +#ifndef AUDIT_CONTID +#define AUDIT_CONTID 27 +#endif + #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID #define AUDIT_COMPARE_UID_TO_OBJ_UID 1 #endif diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c index f43e10c1af1f..710327a2c3da 100644 --- a/src/auditctl-listing.c +++ b/src/auditctl-listing.c @@ -25,6 +25,7 @@ #include #include #include +#include #include "auditctl-listing.h" #include "private.h" #include "auditctl-llist.h" @@ -460,6 +461,26 @@ static void print_rule(const struct audit_rule_data *r) audit_operator_to_symbol(op), audit_fstype_to_name( r->values[i])); + } else if (field == AUDIT_CONTID) { + unsigned long long val; + + if (r->values[i] == sizeof(unsigned long long)) { + val = *(unsigned long long *)(&r->buf[boffset]); + + if (val != ULLONG_MAX) + printf(" -F %s%s%llu", name, + audit_operator_to_symbol(op), + val); + else + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "unset"); + } else { + printf(" -F %s%s%s", name, + audit_operator_to_symbol(op), + "inval"); + } + boffset += r->values[i]; } else { // The default is signed decimal printf(" -F %s%s%d", name, -- 2.18.4