[ghak90,V9,05/13] audit: log container info of syscalls

Details

Message ID	6e2e10432e1400f747918eeb93bf45029de2aa6c.1593198710.git.rgb@redhat.com
State	New
Series	"audit: implement container identifier"
Headers	show Delivered-To: criupatchwork@gmail.com Received-SPF: pass (google.com: domain of containers-bounces@lists.linux-foundation.org designates 140.211.166.138 as permitted sender) client-ip=140.211.166.138; field: "References" field: "References" From: Richard Guy Briggs <rgb@redhat.com> To: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List <linux-audit@redhat.com>, linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH ghak90 V9 05/13] audit: log container info of syscalls Date: Sat, 27 Jun 2020 09:20:38 -0400 Message-Id: <6e2e10432e1400f747918eeb93bf45029de2aa6c.1593198710.git.rgb@redhat.com> In-Reply-To: <cover.1593198710.git.rgb@redhat.com> References: <cover.1593198710.git.rgb@redhat.com> In-Reply-To: <cover.1593198710.git.rgb@redhat.com> References: <cover.1593198710.git.rgb@redhat.com> Cc: Paul Moore <paul@paul-moore.com>, nhorman@tuxdriver.com, Richard Guy Briggs <rgb@redhat.com>, dwalsh@redhat.com, omosnace@redhat.com, dhowells@redhat.com, ebiederm@xmission.com, simo@redhat.com, eparis@parisplace.org, sgrubb@redhat.com, mpatel@redhat.com Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: containers-bounces@lists.linux-foundation.org Sender: "Containers" <containers-bounces@lists.linux-foundation.org>

Message ID

6e2e10432e1400f747918eeb93bf45029de2aa6c.1593198710.git.rgb@redhat.com

State

New

Series

"audit: implement container identifier"

Headers

show

Delivered-To: criupatchwork@gmail.com
Received: from imap.gmail.com [74.125.140.109]
	by patchwork.criu.org with IMAP (fetchmail-6.3.26)
	for <root@localhost> (single-drop);
	Sat, 27 Jun 2020 15:22:39 +0200 (CEST)
Received: by 2002:a5e:a91a:0:0:0:0:0 with SMTP id c26csp1391427iod; Sat, 27
	Jun 2020 06:22:37 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxUsnEmFfLy98zEdcPKSGr8wQTTOb67qgF4B7SAay6Jcl2v467Ca7eg324IcAYdxVgMXm+5
X-Received: by 2002:a63:6d42:: with SMTP id i63mr3179912pgc.77.1593264156872;
	Sat, 27 Jun 2020 06:22:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1593264156; cv=none; d=google.com;
	s=arc-20160816;
	b=J8jB3+ei/7jrpxkP+keO3wQi9JQfy+NVijXrUhkkls6T74/SboWHC3BCpz1/zWi+ei
	lXwGszSPXCVVmDbbIjMWoQoyx+R1yg5q3VG0Garw/YMm1iRsFkC+Q2P3Do9ZIRbmYjso
	eiyZ4HlkR1EK3nHJ7KIX/+GRdGPgE8TY4+J9e7lDJT4uAuWooEvRcKCro9DhDq7XyPVK
	y3poLRWZA2aCHrWYVgNSyVr9krKZPUwIXNiCzc0MtaR9xrsU6/GWSenq4jTwrQbBQuuO
	IvivtgUIjwlKnWejncJzpD4BIUF5qds8QSljodrV/y9o7Qh3uOKgVcm+ECh/5fUTzuIc
	qA+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:cc:references:in-reply-to:references:in-reply-to
	:message-id:date:subject:to:from:dkim-signature:delivered-to;
	bh=UVjrb8Am631005NxKi5/YRV+gGbWCNBlYCfiUm0a9fM=;
	b=sEob8ghhBh/yH5BUTgsPC8ChCNHanF03u/LjtvUbelqOF2DjHFmRtnajGDSi4kVl01
	Fjgf2avHcUePEZKO2W9XSrUrRpLrAjxZmGiRUCmWPyCO1a38Xp1fKwyQMtWGW5QC5tpH
	LXlw/pJv6unKv0lQefcxp5K+o2YWO0iiwixKivj0F9tfqyGByigKomeII2e1loTT3WSD
	+uS2e0DtBiGfYDeHfhgIPS+zLDU/xGgc745PWufeb+FVqAf3Bt2tzjvZqQ6h1BgB7pVg
	HAe1rZJIY+aeDJTnbmaA2MNnqrRkuAcxfVF8sOzK7INcThE0aD/w/4B7kPOUnUQlrFWg
	UpSg==
ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did
	not verify) header.i=@redhat.com
	header.s=mimecast20190719 header.b=OrIo+R3J; 
	spf=pass (google.com: domain of
	containers-bounces@lists.linux-foundation.org
	designates 140.211.166.138 as permitted sender)
	smtp.mailfrom=containers-bounces@lists.linux-foundation.org;
	dmarc=fail
	(p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <containers-bounces@lists.linux-foundation.org>
Received: from whitealder.osuosl.org (smtp1.osuosl.org. [140.211.166.138]) by
	mx.google.com with ESMTPS id u11si6927353plq.250.2020.06.27.06.22.36
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sat, 27 Jun 2020 06:22:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of
	containers-bounces@lists.linux-foundation.org designates
	140.211.166.138 as permitted sender) client-ip=140.211.166.138;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify)
	header.i=@redhat.com header.s=mimecast20190719 header.b=OrIo+R3J;
	spf=pass
	(google.com: domain of containers-bounces@lists.linux-foundation.org
	designates 140.211.166.138 as permitted sender)
	smtp.mailfrom=containers-bounces@lists.linux-foundation.org;
	dmarc=fail
	(p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org
	(Postfix) with ESMTP id 4A285882BE;
	Sat, 27 Jun 2020 13:22:36 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References"
Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org
	[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YA1p-gjQt-E2;
	Sat, 27 Jun 2020 13:22:35 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by whitealder.osuosl.org (Postfix) with ESMTP id 428E5882C4;
	Sat, 27 Jun 2020 13:22:35 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by
	lists.linuxfoundation.org (Postfix) with ESMTP id 22A96C0891;
	Sat, 27 Jun 2020 13:22:35 +0000 (UTC)
X-Original-To: containers@lists.linux-foundation.org
Delivered-To: containers@lists.linuxfoundation.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by
	lists.linuxfoundation.org (Postfix) with ESMTP id 85CA2C016F for
	<containers@lists.linux-foundation.org>;
	Sat, 27 Jun 2020 13:22:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org
	(Postfix) with ESMTP id 750F485BD0 for
	<containers@lists.linux-foundation.org>;
	Sat, 27 Jun 2020 13:22:34 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "References"
Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org
	[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P1_sqTOwmsaR for
	<containers@lists.linux-foundation.org>;
	Sat, 27 Jun 2020 13:22:33 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[207.211.31.120]) by fraxinus.osuosl.org (Postfix) with ESMTPS id
	75BCF85B0D for <containers@lists.linux-foundation.org>;
	Sat, 27 Jun 2020 13:22:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1593264152;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	to:to:cc:cc:in-reply-to:in-reply-to:in-reply-to:
	references:references:references;
	bh=6qtunjE5ws/F4Adj5tQCB/kH4v2kuL7jtyqe5YAUFwU=;
	b=OrIo+R3JFD9R8bhZn4lOX3pFjFyu6tKcUSIA4vBA0RBdMo+smkXTAA5hs532AYfeXNFl7i
	AnPpmzE6IB9KmgK27PJ+xAqRTNRuTkV2diixvuWseGB82FCxI0DYxOuJXOje2tb1WD/fLp
	t3FX/hW+eL6MgQyeT1HdWdHFYN3VBtc=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
	[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-323-iExRSYVTOjm3bv2NNWNE1A-1; Sat, 27 Jun 2020 09:22:28 -0400
X-MC-Unique: iExRSYVTOjm3bv2NNWNE1A-1
Received: from smtp.corp.redhat.com
	(int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256
	bits)) (No
	client certificate requested) by mimecast-mx01.redhat.com (Postfix)
	with ESMTPS id 860DE8031F6; Sat, 27 Jun 2020 13:22:26 +0000 (UTC)
Received: from madcap2.tricolour.ca (unknown [10.10.110.28]) by
	smtp.corp.redhat.com (Postfix) with ESMTP id 7EE857932A;
	Sat, 27 Jun 2020 13:22:13 +0000 (UTC)
From: Richard Guy Briggs <rgb@redhat.com>
To: containers@lists.linux-foundation.org, linux-api@vger.kernel.org,
	Linux-Audit Mailing List <linux-audit@redhat.com>,
	linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
	netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: [PATCH ghak90 V9 05/13] audit: log container info of syscalls
Date: Sat, 27 Jun 2020 09:20:38 -0400
Message-Id: <6e2e10432e1400f747918eeb93bf45029de2aa6c.1593198710.git.rgb@redhat.com>
In-Reply-To: <cover.1593198710.git.rgb@redhat.com>
References: <cover.1593198710.git.rgb@redhat.com>
In-Reply-To: <cover.1593198710.git.rgb@redhat.com>
References: <cover.1593198710.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
Cc: Paul Moore <paul@paul-moore.com>, nhorman@tuxdriver.com, Richard Guy
	Briggs <rgb@redhat.com>, dwalsh@redhat.com, omosnace@redhat.com,
	dhowells@redhat.com, ebiederm@xmission.com, simo@redhat.com,
	eparis@parisplace.org, sgrubb@redhat.com, mpatel@redhat.com
X-BeenThere: containers@lists.linux-foundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Linux Containers <containers.lists.linux-foundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/containers>,
	<mailto:containers-request@lists.linux-foundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/containers/>
List-Post: <mailto:containers@lists.linux-foundation.org>
List-Help: <mailto:containers-request@lists.linux-foundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/containers>,
	<mailto:containers-request@lists.linux-foundation.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: containers-bounces@lists.linux-foundation.org
Sender: "Containers" <containers-bounces@lists.linux-foundation.org>

Commit Message

Richard Guy Briggs June 27, 2020, 1:20 p.m.

Create a new audit record AUDIT_CONTAINER_ID to document the audit
container identifier of a process if it is present.

Called from audit_log_exit(), syscalls are covered.

Include target_cid references from ptrace and signal.

A sample raw event:
type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid"
type=CWD msg=audit(1519924845.499:257): cwd="/root"
type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964
type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458

Please see the github audit kernel issue for the main feature:
  https://github.com/linux-audit/audit-kernel/issues/90
Please see the github audit userspace issue for supporting additions:
  https://github.com/linux-audit/audit-userspace/issues/51
Please see the github audit testsuiite issue for the test case:
  https://github.com/linux-audit/audit-testsuite/issues/64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 include/linux/audit.h      |  7 +++++++
 include/uapi/linux/audit.h |  1 +
 kernel/audit.c             | 25 +++++++++++++++++++++++--
 kernel/audit.h             |  4 ++++
 kernel/auditsc.c           | 45 +++++++++++++++++++++++++++++++++++++++------
 5 files changed, 74 insertions(+), 8 deletions(-)

Patch hide | download patch | download mbox

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2800d4f1a2a8..5eeba0efffc2 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -222,6 +222,9 @@  static inline u64 audit_get_contid(struct task_struct *tsk)
 	return tsk->audit->cont->id;
 }
 
+extern void audit_log_container_id(struct audit_context *context,
+				   struct audit_contobj *cont);
+
 extern u32 audit_enabled;
 
 extern int audit_signal_info(int sig, struct task_struct *t);
@@ -291,6 +294,10 @@  static inline u64 audit_get_contid(struct task_struct *tsk)
 	return AUDIT_CID_UNSET;
 }
 
+static inline void audit_log_container_id(struct audit_context *context,
+					  struct audit_contobj *cont)
+{ }
+
 #define audit_enabled AUDIT_OFF
 
 static inline int audit_signal_info(int sig, struct task_struct *t)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 859382527210..fd98460c983f 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -119,6 +119,7 @@ 
 #define AUDIT_TIME_ADJNTPVAL	1333	/* NTP value adjustment */
 #define AUDIT_BPF		1334	/* BPF subsystem */
 #define AUDIT_EVENT_LISTENER	1335	/* Task joined multicast read socket */
+#define AUDIT_CONTAINER_ID	1336	/* Container ID */
 
 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 9e0b38ce1ead..a09f8f661234 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -227,7 +227,7 @@  static struct audit_contobj *_audit_contobj_hold(struct audit_contobj *cont)
 	return cont;
 }
 
-static struct audit_contobj *_audit_contobj_get(struct task_struct *tsk)
+struct audit_contobj *_audit_contobj_get(struct task_struct *tsk)
 {
 	if (!tsk->audit)
 		return NULL;
@@ -235,7 +235,7 @@  static struct audit_contobj *_audit_contobj_get(struct task_struct *tsk)
 }
 
 /* rcu_read_lock must be held by caller */
-static void _audit_contobj_put(struct audit_contobj *cont)
+void _audit_contobj_put(struct audit_contobj *cont)
 {
 	if (!cont)
 		return;
@@ -2211,6 +2211,27 @@  void audit_log_session_info(struct audit_buffer *ab)
 	audit_log_format(ab, "auid=%u ses=%u", auid, sessionid);
 }
 
+/*
+ * audit_log_container_id - report container info
+ * @context: task or local context for record
+ * @cont: container object to report
+ */
+void audit_log_container_id(struct audit_context *context,
+			    struct audit_contobj *cont)
+{
+	struct audit_buffer *ab;
+
+	if (!cont)
+		return;
+	/* Generate AUDIT_CONTAINER_ID record with container ID */
+	ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER_ID);
+	if (!ab)
+		return;
+	audit_log_format(ab, "contid=%llu", contid);
+	audit_log_end(ab);
+}
+EXPORT_SYMBOL(audit_log_container_id);
+
 void audit_log_key(struct audit_buffer *ab, char *key)
 {
 	audit_log_format(ab, " key=");
diff --git a/kernel/audit.h b/kernel/audit.h
index d07093903008..0c9446f8d52c 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -135,6 +135,7 @@  struct audit_context {
 	kuid_t		    target_uid;
 	unsigned int	    target_sessionid;
 	u32		    target_sid;
+	struct audit_contobj *target_cid;
 	char		    target_comm[TASK_COMM_LEN];
 
 	struct audit_tree_refs *trees, *first_trees;
@@ -218,6 +219,9 @@  static inline int audit_hash_contid(u64 contid)
 	return (contid & (AUDIT_CONTID_BUCKETS-1));
 }
 
+extern struct audit_contobj *_audit_contobj_get(struct task_struct *tsk);
+extern void _audit_contobj_put(struct audit_contobj *cont);
+
 /* Indicates that audit should log the full pathname. */
 #define AUDIT_NAME_FULL -1
 
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f03d3eb0752c..9e79645e5c0e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -113,6 +113,7 @@  struct audit_aux_data_pids {
 	kuid_t			target_uid[AUDIT_AUX_PIDS];
 	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
 	u32			target_sid[AUDIT_AUX_PIDS];
+	struct audit_contobj	*target_cid[AUDIT_AUX_PIDS];
 	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
 	int			pid_count;
 };
@@ -889,13 +890,20 @@  static inline void audit_free_names(struct audit_context *context)
 static inline void audit_free_aux(struct audit_context *context)
 {
 	struct audit_aux_data *aux;
+	struct audit_aux_data_pids *axp;
 
+	_audit_contobj_put(context->target_cid);
 	while ((aux = context->aux)) {
 		context->aux = aux->next;
 		kfree(aux);
 	}
 	while ((aux = context->aux_pids)) {
+		int i;
+
 		context->aux_pids = aux->next;
+		axp = (struct audit_aux_data_pids *)aux;
+		for (i = 0; i < axp->pid_count; i++)
+			_audit_contobj_put(axp->target_cid[i]);
 		kfree(aux);
 	}
 }
@@ -1458,6 +1466,7 @@  static void audit_log_exit(void)
 	struct audit_buffer *ab;
 	struct audit_aux_data *aux;
 	struct audit_names *n;
+	struct audit_contobj *cont;
 
 	context->personality = current->personality;
 
@@ -1541,7 +1550,7 @@  static void audit_log_exit(void)
 	for (aux = context->aux_pids; aux; aux = aux->next) {
 		struct audit_aux_data_pids *axs = (void *)aux;
 
-		for (i = 0; i < axs->pid_count; i++)
+		for (i = 0; i < axs->pid_count; i++) {
 			if (audit_log_pid_context(context, axs->target_pid[i],
 						  axs->target_auid[i],
 						  axs->target_uid[i],
@@ -1549,14 +1558,20 @@  static void audit_log_exit(void)
 						  axs->target_sid[i],
 						  axs->target_comm[i]))
 				call_panic = 1;
+			audit_log_container_id(context, axs->target_cid[i]);
+		}
 	}
 
-	if (context->target_pid &&
-	    audit_log_pid_context(context, context->target_pid,
-				  context->target_auid, context->target_uid,
-				  context->target_sessionid,
-				  context->target_sid, context->target_comm))
+	if (context->target_pid) {
+		if (audit_log_pid_context(context, context->target_pid,
+					  context->target_auid,
+					  context->target_uid,
+					  context->target_sessionid,
+					  context->target_sid,
+					  context->target_comm))
 			call_panic = 1;
+		audit_log_container_id(context, context->target_cid);
+	}
 
 	if (context->pwd.dentry && context->pwd.mnt) {
 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
@@ -1575,6 +1590,14 @@  static void audit_log_exit(void)
 
 	audit_log_proctitle();
 
+	rcu_read_lock();
+	cont = _audit_contobj_get(current);
+	rcu_read_unlock();
+	audit_log_container_id(context, cont);
+	rcu_read_lock();
+	_audit_contobj_put(cont);
+	rcu_read_unlock();
+
 	audit_log_container_drop();
 
 	/* Send end of event record to help user space know we are finished */
@@ -2385,6 +2408,10 @@  void __audit_ptrace(struct task_struct *t)
 	context->target_uid = task_uid(t);
 	context->target_sessionid = audit_get_sessionid(t);
 	security_task_getsecid(t, &context->target_sid);
+	rcu_read_lock();
+	_audit_contobj_put(context->target_cid);
+	context->target_cid = _audit_contobj_get(t);
+	rcu_read_unlock();
 	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
 }
 
@@ -2412,6 +2439,9 @@  int audit_signal_info_syscall(struct task_struct *t)
 		ctx->target_uid = t_uid;
 		ctx->target_sessionid = audit_get_sessionid(t);
 		security_task_getsecid(t, &ctx->target_sid);
+		rcu_read_lock();
+		ctx->target_cid = _audit_contobj_get(t);
+		rcu_read_unlock();
 		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
 		return 0;
 	}
@@ -2433,6 +2463,9 @@  int audit_signal_info_syscall(struct task_struct *t)
 	axp->target_uid[axp->pid_count] = t_uid;
 	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
 	security_task_getsecid(t, &axp->target_sid[axp->pid_count]);
+	rcu_read_lock();
+	axp->target_cid[axp->pid_count] = _audit_contobj_get(t);
+	rcu_read_unlock();
 	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
 	axp->pid_count++;

Comments

Paul Moore July 5, 2020, 3:10 p.m.

On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs <rgb@redhat.com> wrote:
>
> Create a new audit record AUDIT_CONTAINER_ID to document the audit
> container identifier of a process if it is present.
>
> Called from audit_log_exit(), syscalls are covered.
>
> Include target_cid references from ptrace and signal.
>
> A sample raw event:
> type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid"
> type=CWD msg=audit(1519924845.499:257): cwd="/root"
> type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
> type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
> type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964
> type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458
>
> Please see the github audit kernel issue for the main feature:
>   https://github.com/linux-audit/audit-kernel/issues/90
> Please see the github audit userspace issue for supporting additions:
>   https://github.com/linux-audit/audit-userspace/issues/51
> Please see the github audit testsuiite issue for the test case:
>   https://github.com/linux-audit/audit-testsuite/issues/64
> Please see the github audit wiki for the feature overview:
>   https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> Acked-by: Serge Hallyn <serge@hallyn.com>
> Acked-by: Steve Grubb <sgrubb@redhat.com>
> Acked-by: Neil Horman <nhorman@tuxdriver.com>
> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>  include/linux/audit.h      |  7 +++++++
>  include/uapi/linux/audit.h |  1 +
>  kernel/audit.c             | 25 +++++++++++++++++++++++--
>  kernel/audit.h             |  4 ++++
>  kernel/auditsc.c           | 45 +++++++++++++++++++++++++++++++++++++++------
>  5 files changed, 74 insertions(+), 8 deletions(-)

...

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 9e0b38ce1ead..a09f8f661234 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -2211,6 +2211,27 @@ void audit_log_session_info(struct audit_buffer *ab)
>         audit_log_format(ab, "auid=%u ses=%u", auid, sessionid);
>  }
>
> +/*
> + * audit_log_container_id - report container info
> + * @context: task or local context for record
> + * @cont: container object to report
> + */
> +void audit_log_container_id(struct audit_context *context,
> +                           struct audit_contobj *cont)
> +{
> +       struct audit_buffer *ab;
> +
> +       if (!cont)
> +               return;
> +       /* Generate AUDIT_CONTAINER_ID record with container ID */
> +       ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER_ID);
> +       if (!ab)
> +               return;
> +       audit_log_format(ab, "contid=%llu", contid);

Did this patch compile?  Where is "contid" coming from?  I'm guessing
you mean to get it from "cont", but that isn't what appears to be
happening; likely a casualty of the object vs token discussion we had
during the last review cycle.

I'm assuming this code gets modified later in this patchset and you
only compiled tested the patchset as a whole.  Please make sure the
patchset compiles at each patch along the way to applying them all;
this helps ensure that git bisect remains useful and it fits better
with the general idea that individual patches must have merit on their
own.

... and yes, I do check for this when merging patchsets, it isn't just
a visual inspection, I compile test each patch.

If nothing else, at least this answers the question of if it is worth
respinning or not (this alone requires a respin).

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index f03d3eb0752c..9e79645e5c0e 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1458,6 +1466,7 @@ static void audit_log_exit(void)
>         struct audit_buffer *ab;
>         struct audit_aux_data *aux;
>         struct audit_names *n;
> +       struct audit_contobj *cont;
>
>         context->personality = current->personality;
>
> @@ -1541,7 +1550,7 @@ static void audit_log_exit(void)
>         for (aux = context->aux_pids; aux; aux = aux->next) {
>                 struct audit_aux_data_pids *axs = (void *)aux;
>
> -               for (i = 0; i < axs->pid_count; i++)
> +               for (i = 0; i < axs->pid_count; i++) {
>                         if (audit_log_pid_context(context, axs->target_pid[i],
>                                                   axs->target_auid[i],
>                                                   axs->target_uid[i],
> @@ -1549,14 +1558,20 @@ static void audit_log_exit(void)
>                                                   axs->target_sid[i],
>                                                   axs->target_comm[i]))
>                                 call_panic = 1;
> +                       audit_log_container_id(context, axs->target_cid[i]);
> +               }

It might be nice to see an audit event example including the
ptrace/signal information.  I'm concerned there may be some confusion
about associating the different audit container IDs with the correct
information in the event.

>         }
>
> -       if (context->target_pid &&
> -           audit_log_pid_context(context, context->target_pid,
> -                                 context->target_auid, context->target_uid,
> -                                 context->target_sessionid,
> -                                 context->target_sid, context->target_comm))
> +       if (context->target_pid) {
> +               if (audit_log_pid_context(context, context->target_pid,
> +                                         context->target_auid,
> +                                         context->target_uid,
> +                                         context->target_sessionid,
> +                                         context->target_sid,
> +                                         context->target_comm))
>                         call_panic = 1;
> +               audit_log_container_id(context, context->target_cid);
> +       }
>
>         if (context->pwd.dentry && context->pwd.mnt) {
>                 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
> @@ -1575,6 +1590,14 @@ static void audit_log_exit(void)
>
>         audit_log_proctitle();
>
> +       rcu_read_lock();
> +       cont = _audit_contobj_get(current);
> +       rcu_read_unlock();
> +       audit_log_container_id(context, cont);
> +       rcu_read_lock();
> +       _audit_contobj_put(cont);
> +       rcu_read_unlock();

Do we need to grab an additional reference for the audit container
object here?  We don't create any additional references here that
persist beyond the lifetime of this function, right?


>         audit_log_container_drop();
>
>         /* Send end of event record to help user space know we are finished */

--
paul moore
www.paul-moore.com

Richard Guy Briggs July 29, 2020, 7:40 p.m.

On 2020-07-05 11:10, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs <rgb@redhat.com> wrote:
> >
> > Create a new audit record AUDIT_CONTAINER_ID to document the audit
> > container identifier of a process if it is present.
> >
> > Called from audit_log_exit(), syscalls are covered.
> >
> > Include target_cid references from ptrace and signal.
> >
> > A sample raw event:
> > type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid"
> > type=CWD msg=audit(1519924845.499:257): cwd="/root"
> > type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
> > type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
> > type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964
> > type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458
> >
> > Please see the github audit kernel issue for the main feature:
> >   https://github.com/linux-audit/audit-kernel/issues/90
> > Please see the github audit userspace issue for supporting additions:
> >   https://github.com/linux-audit/audit-userspace/issues/51
> > Please see the github audit testsuiite issue for the test case:
> >   https://github.com/linux-audit/audit-testsuite/issues/64
> > Please see the github audit wiki for the feature overview:
> >   https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > Acked-by: Serge Hallyn <serge@hallyn.com>
> > Acked-by: Steve Grubb <sgrubb@redhat.com>
> > Acked-by: Neil Horman <nhorman@tuxdriver.com>
> > Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >  include/linux/audit.h      |  7 +++++++
> >  include/uapi/linux/audit.h |  1 +
> >  kernel/audit.c             | 25 +++++++++++++++++++++++--
> >  kernel/audit.h             |  4 ++++
> >  kernel/auditsc.c           | 45 +++++++++++++++++++++++++++++++++++++++------
> >  5 files changed, 74 insertions(+), 8 deletions(-)
> 
> ...
> 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 9e0b38ce1ead..a09f8f661234 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -2211,6 +2211,27 @@ void audit_log_session_info(struct audit_buffer *ab)
> >         audit_log_format(ab, "auid=%u ses=%u", auid, sessionid);
> >  }
> >
> > +/*
> > + * audit_log_container_id - report container info
> > + * @context: task or local context for record
> > + * @cont: container object to report
> > + */
> > +void audit_log_container_id(struct audit_context *context,
> > +                           struct audit_contobj *cont)
> > +{
> > +       struct audit_buffer *ab;
> > +
> > +       if (!cont)
> > +               return;
> > +       /* Generate AUDIT_CONTAINER_ID record with container ID */
> > +       ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER_ID);
> > +       if (!ab)
> > +               return;
> > +       audit_log_format(ab, "contid=%llu", contid);
> 
> Did this patch compile?  Where is "contid" coming from?  I'm guessing
> you mean to get it from "cont", but that isn't what appears to be
> happening; likely a casualty of the object vs token discussion we had
> during the last review cycle.

Yes, it was supposed to be cont->id.

> I'm assuming this code gets modified later in this patchset and you
> only compiled tested the patchset as a whole.  Please make sure the
> patchset compiles at each patch along the way to applying them all;
> this helps ensure that git bisect remains useful and it fits better
> with the general idea that individual patches must have merit on their
> own.

Yes, agreed.

> ... and yes, I do check for this when merging patchsets, it isn't just
> a visual inspection, I compile test each patch.
> 
> If nothing else, at least this answers the question of if it is worth
> respinning or not (this alone requires a respin).
> 
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index f03d3eb0752c..9e79645e5c0e 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1458,6 +1466,7 @@ static void audit_log_exit(void)
> >         struct audit_buffer *ab;
> >         struct audit_aux_data *aux;
> >         struct audit_names *n;
> > +       struct audit_contobj *cont;
> >
> >         context->personality = current->personality;
> >
> > @@ -1541,7 +1550,7 @@ static void audit_log_exit(void)
> >         for (aux = context->aux_pids; aux; aux = aux->next) {
> >                 struct audit_aux_data_pids *axs = (void *)aux;
> >
> > -               for (i = 0; i < axs->pid_count; i++)
> > +               for (i = 0; i < axs->pid_count; i++) {
> >                         if (audit_log_pid_context(context, axs->target_pid[i],
> >                                                   axs->target_auid[i],
> >                                                   axs->target_uid[i],
> > @@ -1549,14 +1558,20 @@ static void audit_log_exit(void)
> >                                                   axs->target_sid[i],
> >                                                   axs->target_comm[i]))
> >                                 call_panic = 1;
> > +                       audit_log_container_id(context, axs->target_cid[i]);
> > +               }
> 
> It might be nice to see an audit event example including the
> ptrace/signal information.  I'm concerned there may be some confusion
> about associating the different audit container IDs with the correct
> information in the event.

This is the subject of ghat81, which is a test for ptrace and signal
records.

This was the reason I had advocated for an op= field since there is a
possibility of multiple contid records per event.

> >         }
> >
> > -       if (context->target_pid &&
> > -           audit_log_pid_context(context, context->target_pid,
> > -                                 context->target_auid, context->target_uid,
> > -                                 context->target_sessionid,
> > -                                 context->target_sid, context->target_comm))
> > +       if (context->target_pid) {
> > +               if (audit_log_pid_context(context, context->target_pid,
> > +                                         context->target_auid,
> > +                                         context->target_uid,
> > +                                         context->target_sessionid,
> > +                                         context->target_sid,
> > +                                         context->target_comm))
> >                         call_panic = 1;
> > +               audit_log_container_id(context, context->target_cid);
> > +       }
> >
> >         if (context->pwd.dentry && context->pwd.mnt) {
> >                 ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
> > @@ -1575,6 +1590,14 @@ static void audit_log_exit(void)
> >
> >         audit_log_proctitle();
> >
> > +       rcu_read_lock();
> > +       cont = _audit_contobj_get(current);
> > +       rcu_read_unlock();
> > +       audit_log_container_id(context, cont);
> > +       rcu_read_lock();
> > +       _audit_contobj_put(cont);
> > +       rcu_read_unlock();
> 
> Do we need to grab an additional reference for the audit container
> object here?  We don't create any additional references here that
> persist beyond the lifetime of this function, right?

Why do we need another reference?  There's one for each pointer pointing
to it and so far we have just one from this task.  Or are you thinking
of the contid hash list, which is only added to when a task points to it
and gets removed from that list when the last task stops pointing to it.
Later that gets more complicated with network namespaces and nested
container objects.  For now we just needed it while generating the
record, then it gets freed.

> >         audit_log_container_drop();
> >
> >         /* Send end of event record to help user space know we are finished */
> 
> paul moore

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Paul Moore Aug. 21, 2020, 7:15 p.m.

On Wed, Jul 29, 2020 at 3:41 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2020-07-05 11:10, Paul Moore wrote:
> > On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs <rgb@redhat.com> wrote:

...

> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index f03d3eb0752c..9e79645e5c0e 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -1458,6 +1466,7 @@ static void audit_log_exit(void)
> > >         struct audit_buffer *ab;
> > >         struct audit_aux_data *aux;
> > >         struct audit_names *n;
> > > +       struct audit_contobj *cont;
> > >
> > >         context->personality = current->personality;
> > >
> > > @@ -1541,7 +1550,7 @@ static void audit_log_exit(void)
> > >         for (aux = context->aux_pids; aux; aux = aux->next) {
> > >                 struct audit_aux_data_pids *axs = (void *)aux;
> > >
> > > -               for (i = 0; i < axs->pid_count; i++)
> > > +               for (i = 0; i < axs->pid_count; i++) {
> > >                         if (audit_log_pid_context(context, axs->target_pid[i],
> > >                                                   axs->target_auid[i],
> > >                                                   axs->target_uid[i],
> > > @@ -1549,14 +1558,20 @@ static void audit_log_exit(void)
> > >                                                   axs->target_sid[i],
> > >                                                   axs->target_comm[i]))
> > >                                 call_panic = 1;
> > > +                       audit_log_container_id(context, axs->target_cid[i]);
> > > +               }
> >
> > It might be nice to see an audit event example including the
> > ptrace/signal information.  I'm concerned there may be some confusion
> > about associating the different audit container IDs with the correct
> > information in the event.
>
> This is the subject of ghat81, which is a test for ptrace and signal
> records.
>
> This was the reason I had advocated for an op= field since there is a
> possibility of multiple contid records per event.

I think an "op=" field is the wrong way to link audit container ID to
a particular record.  It may be convenient, but I fear that it would
be overloading the field too much.

Like I said above, I think it would be good to see an audit event
example including the ptrace/signal information.  This way we can talk
about it on-list and hash out the various solutions if it proves to be
a problem.

> > > @@ -1575,6 +1590,14 @@ static void audit_log_exit(void)
> > >
> > >         audit_log_proctitle();
> > >
> > > +       rcu_read_lock();
> > > +       cont = _audit_contobj_get(current);
> > > +       rcu_read_unlock();
> > > +       audit_log_container_id(context, cont);
> > > +       rcu_read_lock();
> > > +       _audit_contobj_put(cont);
> > > +       rcu_read_unlock();
> >
> > Do we need to grab an additional reference for the audit container
> > object here?  We don't create any additional references here that
> > persist beyond the lifetime of this function, right?
>
> Why do we need another reference?  There's one for each pointer pointing
> to it and so far we have just one from this task.  Or are you thinking
> of the contid hash list, which is only added to when a task points to it
> and gets removed from that list when the last task stops pointing to it.
> Later that gets more complicated with network namespaces and nested
> container objects.  For now we just needed it while generating the
> record, then it gets freed.

I don't think we need to grab an additional reference here, that is
why I asked the question.  The code above grabs a reference for the
audit container ID object associated with the current task and then
drops it before returning; if the current task, and it's associated
audit container ID object, disappears in the middle of the function
we've got much bigger worries :)