From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: [PATCH ghau51/ghau40 v7 09/12] contid: interpret correctly CONTAINER_ID contid field csv Date: Wed, 18 Sep 2019 21:27:49 -0400 Message-ID: <1568856472-10173-10-git-send-email-rgb@redhat.com> References: <1568856472-10173-1-git-send-email-rgb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1568856472-10173-1-git-send-email-rgb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: containers@lists.linux-foundation.org, Linux-Audit Mailing List , LKML Cc: nhorman@redhat.com, Richard Guy Briggs , eparis@parisplace.org, mpatel@redhat.com List-Id: linux-audit@redhat.com The CONTAINER_ID record contid field can contain comma-separated values when accompanying a NETFILTER_PKT record. Records appeared interpreted as such: Wrong: CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777 666,333 Right: CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777,666,333 Signed-off-by: Richard Guy Briggs --- src/ausearch-report.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/ausearch-report.c b/src/ausearch-report.c index 416c2b13fa6a..82fa9579f972 100644 --- a/src/ausearch-report.c +++ b/src/ausearch-report.c @@ -279,7 +279,7 @@ no_print: if (str && val && (str < val)) { // Value side has commas and another field exists // Known: LABEL_LEVEL_CHANGE banners=none,none - // Known: ROLL_ASSIGN new-role=r,r + // Known: ROLE_ASSIGN new-role=r,r // Known: any MAC LABEL can potentially have commas int ftype = auparse_interp_adjust_type(n->type, name, val); @@ -293,9 +293,11 @@ no_print: } else if (str && (val == NULL)) { // Goes all the way to the end. Done parsing // Known: MCS context in PATH rec obj=u:r:t:s0:c2,c7 + // Known: CONTAINER_ID contid can be a comma-separated list int ftype = auparse_interp_adjust_type(n->type, name, ptr); - if (ftype == AUPARSE_TYPE_MAC_LABEL) + if (ftype == AUPARSE_TYPE_MAC_LABEL + || ftype == AUPARSE_TYPE_CONTID) str = NULL; else { *str++ = 0; -- 1.8.3.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1460EC4CEC9 for ; Thu, 19 Sep 2019 01:29:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E7BD020644 for ; Thu, 19 Sep 2019 01:29:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388236AbfISB3G (ORCPT ); Wed, 18 Sep 2019 21:29:06 -0400 Received: from mx1.redhat.com ([209.132.183.28]:54554 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387417AbfISB3C (ORCPT ); Wed, 18 Sep 2019 21:29:02 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 306AD81DEB; Thu, 19 Sep 2019 01:29:02 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-19.phx2.redhat.com [10.3.112.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4257D5D9CC; Thu, 19 Sep 2019 01:28:59 +0000 (UTC) From: Richard Guy Briggs To: containers@lists.linux-foundation.org, Linux-Audit Mailing List , LKML Cc: eparis@parisplace.org, Steve Grubb , omosnace@redhat.com, Paul Moore , nhorman@redhat.com, dwalsh@redhat.com, mpatel@redhat.com, Richard Guy Briggs Subject: [PATCH ghau51/ghau40 v7 09/12] contid: interpret correctly CONTAINER_ID contid field csv Date: Wed, 18 Sep 2019 21:27:49 -0400 Message-Id: <1568856472-10173-10-git-send-email-rgb@redhat.com> In-Reply-To: <1568856472-10173-1-git-send-email-rgb@redhat.com> References: <1568856472-10173-1-git-send-email-rgb@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 19 Sep 2019 01:29:02 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The CONTAINER_ID record contid field can contain comma-separated values when accompanying a NETFILTER_PKT record. Records appeared interpreted as such: Wrong: CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777 666,333 Right: CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777,666,333 Signed-off-by: Richard Guy Briggs --- src/ausearch-report.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/ausearch-report.c b/src/ausearch-report.c index 416c2b13fa6a..82fa9579f972 100644 --- a/src/ausearch-report.c +++ b/src/ausearch-report.c @@ -279,7 +279,7 @@ no_print: if (str && val && (str < val)) { // Value side has commas and another field exists // Known: LABEL_LEVEL_CHANGE banners=none,none - // Known: ROLL_ASSIGN new-role=r,r + // Known: ROLE_ASSIGN new-role=r,r // Known: any MAC LABEL can potentially have commas int ftype = auparse_interp_adjust_type(n->type, name, val); @@ -293,9 +293,11 @@ no_print: } else if (str && (val == NULL)) { // Goes all the way to the end. Done parsing // Known: MCS context in PATH rec obj=u:r:t:s0:c2,c7 + // Known: CONTAINER_ID contid can be a comma-separated list int ftype = auparse_interp_adjust_type(n->type, name, ptr); - if (ftype == AUPARSE_TYPE_MAC_LABEL) + if (ftype == AUPARSE_TYPE_MAC_LABEL + || ftype == AUPARSE_TYPE_CONTID) str = NULL; else { *str++ = 0; -- 1.8.3.1