[ghak90,V7,16/21] audit: add support for contid set/get by netlink

Submitted by Richard Guy Briggs on Sept. 19, 2019, 1:22 a.m.

Details

Message ID ea4e8352fd1671f91d1b015a15abee785ea17136.1568834525.git.rgb@redhat.com
State New
Series "audit: implement container identifier"
Headers show

Commit Message

Richard Guy Briggs Sept. 19, 2019, 1:22 a.m.
Add the ability to get and set the audit container identifier using an
audit netlink message using message types AUDIT_SET_CONTID 1023 and
AUDIT_GET_CONTID 1022 in addition to using the proc filesystem.  The
message format includes the data structure:

struct audit_contid_status {
       pid_t   pid;
       u64     id;
};

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |  2 ++
 kernel/audit.c             | 40 ++++++++++++++++++++++++++++++++++++++++
 kernel/audit.h             |  5 +++++
 3 files changed, 47 insertions(+)

Patch hide | download patch | download mbox

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index f34108759e8f..e26729fc9943 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -73,6 +73,8 @@ 
 #define AUDIT_GET_FEATURE	1019	/* Get which features are enabled */
 #define AUDIT_CONTAINER_OP	1020	/* Define the container id and info */
 #define AUDIT_SIGNAL_INFO2	1021	/* Get info auditd signal sender */
+#define AUDIT_GET_CONTID	1022	/* Get contid of a task */
+#define AUDIT_SET_CONTID	1023	/* Set contid of a task */
 
 #define AUDIT_FIRST_USER_MSG	1100	/* Userspace messages mostly uninteresting to kernel */
 #define AUDIT_USER_AVC		1107	/* We filter this differently */
diff --git a/kernel/audit.c b/kernel/audit.c
index 4fe7678304dd..df92de20ed73 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1216,6 +1216,8 @@  static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 	case AUDIT_TTY_SET:
 	case AUDIT_TRIM:
 	case AUDIT_MAKE_EQUIV:
+	case AUDIT_GET_CONTID:
+	case AUDIT_SET_CONTID:
 		/* Only support auditd and auditctl in initial pid namespace
 		 * for now. */
 		if (task_active_pid_ns(current) != &init_pid_ns)
@@ -1273,6 +1275,23 @@  static int audit_get_feature(struct sk_buff *skb)
 	return 0;
 }
 
+static int audit_get_contid_status(struct sk_buff *skb)
+{
+	struct nlmsghdr *nlh = nlmsg_hdr(skb);
+	u32 seq = nlh->nlmsg_seq;
+	void *data = nlmsg_data(nlh);
+	struct audit_contid_status cs;
+
+	cs.pid = ((struct audit_contid_status *)data)->pid;
+	if (!cs.pid)
+		cs.pid = task_tgid_nr(current);
+	rcu_read_lock();
+	cs.id = audit_get_contid(find_task_by_vpid(cs.pid));
+	rcu_read_unlock();
+	audit_send_reply(skb, seq, AUDIT_GET_CONTID, 0, 0, &cs, sizeof(cs));
+	return 0;
+}
+
 static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature,
 				     u32 old_lock, u32 new_lock, int res)
 {
@@ -1700,6 +1719,27 @@  static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		audit_log_end(ab);
 		break;
 	}
+	case AUDIT_SET_CONTID: {
+		struct audit_contid_status *s = data;
+		struct task_struct *tsk;
+
+		/* check if new data is valid */
+		if (nlmsg_len(nlh) < sizeof(*s))
+			return -EINVAL;
+		tsk = find_get_task_by_vpid(s->pid);
+		if (!tsk)
+			return -EINVAL;
+
+		err = audit_set_contid(tsk, s->id);
+		put_task_struct(tsk);
+		return err;
+		break;
+	}
+	case AUDIT_GET_CONTID:
+		err = audit_get_contid_status(skb);
+		if (err)
+			return err;
+		break;
 	default:
 		err = -EINVAL;
 		break;
diff --git a/kernel/audit.h b/kernel/audit.h
index c9b73abfd6a0..25732fbc47a4 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -224,6 +224,11 @@  static inline int audit_hash_contid(u64 contid)
 
 #define AUDIT_CONTID_COUNT	1 << 16
 
+struct audit_contid_status {
+	pid_t	pid;
+	u64	id;
+};
+
 /* Indicates that audit should log the full pathname. */
 #define AUDIT_NAME_FULL -1
 

Comments

Paul Moore Oct. 11, 2019, 12:40 a.m.
On Wed, Sep 18, 2019 at 9:26 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> Add the ability to get and set the audit container identifier using an
> audit netlink message using message types AUDIT_SET_CONTID 1023 and
> AUDIT_GET_CONTID 1022 in addition to using the proc filesystem.  The
> message format includes the data structure:
>
> struct audit_contid_status {
>        pid_t   pid;
>        u64     id;
> };
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  include/uapi/linux/audit.h |  2 ++
>  kernel/audit.c             | 40 ++++++++++++++++++++++++++++++++++++++++
>  kernel/audit.h             |  5 +++++
>  3 files changed, 47 insertions(+)

I'm not a fan of having multiple interfaces to do one thing if it can
be avoided.  Presumably the argument for the netlink API is the
container folks don't want to have to mount /proc inside containers
which are going to host nested orchestrators?  Can you reasonably run
a fully fledged orchestrator without a valid /proc?

--
paul moore
www.paul-moore.com