From: Richard Guy Briggs <rgb@redhat.com>
To: containers@lists.linux-foundation.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Cc: eparis@parisplace.org, Steve Grubb <sgrubb@redhat.com>,
omosnace@redhat.com, Paul Moore <paul@paul-moore.com>,
nhorman@redhat.com, dwalsh@redhat.com, mpatel@redhat.com,
Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghau51/ghau40 v7 12/12] libaudit: add support to get and set capcontid on a task
Date: Wed, 18 Sep 2019 21:27:52 -0400 [thread overview]
Message-ID: <1568856472-10173-13-git-send-email-rgb@redhat.com> (raw)
In-Reply-To: <1568856472-10173-1-git-send-email-rgb@redhat.com>
Add support to be able to set a capability to allow a task to set the
audit container identifier of descendants.
See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
docs/Makefile.am | 1 +
lib/libaudit.c | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
lib/libaudit.h | 14 +++++++++
lib/msg_typetab.h | 2 ++
lib/netlink.c | 4 +++
5 files changed, 106 insertions(+)
diff --git a/docs/Makefile.am b/docs/Makefile.am
index 821182315806..8b0e5c2c3730 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -29,6 +29,7 @@ auditd.conf.5 auditd-plugins.5 \
audit_delete_rule_data.3 audit_detect_machine.3 \
audit_encode_nv_string.3 audit_getloginuid.3 \
audit_get_reply.3 audit_get_session.3 audit_get_containerid.3 audit_set_containerid.3 \
+audit_get_capcontid.3 audit_set_capcontid.3 \
audit_log_acct_message.3 audit_log_user_avc_message.3 \
audit_log_user_command.3 audit_log_user_comm_message.3 \
audit_log_user_message.3 audit_log_semanage_message.3 \
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 62e1a2a64ee5..08998610c66a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1026,6 +1026,91 @@ uint32_t audit_get_session(void)
}
/*
+ * This function will retrieve the capability container identifier or -2 if
+ * there is an error.
+ */
+uint32_t audit_get_capcontid(pid_t pid)
+{
+ if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+ return -2;
+ } else {
+ struct audit_reply rep;
+ int i;
+ int timeout = 40; /* tenths of seconds */
+ struct pollfd pfd[1];
+ int fd = audit_open();
+ struct audit_capcontid_status cs;
+ int rc;
+
+ if (fd < 0) {
+ audit_msg(audit_priority(errno), "Error openning get capcontid req (%s)", strerror(-rc));
+ return -2;
+ }
+ cs.pid = pid;
+ rc = audit_send(fd, AUDIT_GET_CONTID, &cs, sizeof(cs));
+ if (rc < 0 && rc != -EINVAL) {
+ audit_close(fd);
+ audit_msg(audit_priority(errno), "Error sending set capcontid req (%s)", strerror(-rc));
+ return -2;
+ }
+ pfd[0].fd = fd;
+ pfd[0].events = POLLIN;
+
+ for (i = 0; i < timeout; i++) {
+ do {
+ rc = poll(pfd, 1, 100);
+ } while (rc < 0 && errno == EINTR);
+ rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);
+ if (rc > 0) {
+ /* If we get done or error, break out */
+ if (rep.type == NLMSG_DONE ||
+ rep.type == NLMSG_ERROR)
+ break;
+
+ /* If its not get_contid, keep looping */
+ if (rep.type != AUDIT_GET_CAPCONTID)
+ continue;
+
+ /* Found it... */
+ audit_close(fd);
+ if (rep.capcontid->pid == pid)
+ return rep.capcontid->cap;
+ else
+ return -2;
+ }
+ }
+ audit_close(fd);
+ return -2;
+ }
+}
+
+/*
+ * This function returns 0 on success and 1 on failure
+ */
+int audit_set_capcontid(pid_t pid, uint32_t capcontid)
+{
+ if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+ return -2;
+ } else {
+ int rc;
+ int seq;
+ int fd = audit_open();
+ struct audit_capcontid_status cs = { pid, capcontid };
+
+ if (fd < 0) {
+ audit_msg(audit_priority(errno), "Error openning set capcontid req (%s)", strerror(-rc));
+ return 1;
+ }
+ rc = audit_send(fd, AUDIT_SET_CAPCONTID, &cs, sizeof(cs));
+ if (rc < 0) {
+ audit_msg(audit_priority(errno), "Error sending set capcontid request (%s)", strerror(-rc));
+ return 1;
+ }
+ return 0;
+ }
+}
+
+/*
* This function will retrieve the audit container identifier or -2 if
* there is an error.
*/
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 717724e8fbbb..8067ef30f427 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -275,6 +275,14 @@ extern "C" {
#define AUDIT_GET_SESSIONID 1026 /* get current process sessionid */
#endif
+#ifndef AUDIT_GET_CAPCONTID
+#define AUDIT_GET_CAPCONTID 1027 /* get contid of specified pid */
+#endif
+
+#ifndef AUDIT_SET_CAPCONTID
+#define AUDIT_SET_CAPCONTID 1028 /* set contid of specified pid */
+#endif
+
#ifndef AUDIT_MMAP
#define AUDIT_MMAP 1323 /* Descriptor and flags in mmap */
#endif
@@ -532,6 +540,11 @@ struct audit_message {
// internal - forward declaration
struct daemon_conf;
+struct audit_capcontid_status {
+ pid_t pid;
+ uint32_t cap;
+};
+
struct audit_cont_status {
pid_t pid;
uint64_t id;
@@ -559,6 +572,7 @@ struct audit_reply {
#endif
#ifdef AUDIT_FEATURE_BITMAP_CONTAINERID
struct audit_cont_status *cont;
+ struct audit_capcontid_status *capcontid;
#endif
};
};
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index 9f2b137dc7f8..f510e9790ea4 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -50,6 +50,8 @@ _S(AUDIT_LOGIN, "LOGIN" )
//_S(AUDIT_GET_LOGINUID, "GET_LOGINUID" )
//_S(AUDIT_SET_LOGINUID, "SET_LOGINUID" )
//_S(AUDIT_GET_SESSIONID, "GET_SESSIONID" )
+//_S(AUDIT_GET_CAPCONTID, "GET_CAPCONTID" )
+_S(AUDIT_SET_CAPCONTID, "SET_CAPCONTID" )
_S(AUDIT_CONTAINER_OP, "CONTAINER_OP" )
_S(AUDIT_USER_AUTH, "USER_AUTH" )
_S(AUDIT_USER_ACCT, "USER_ACCT" )
diff --git a/lib/netlink.c b/lib/netlink.c
index d177b865a79e..d378b32e0ff6 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -154,6 +154,7 @@ static int adjust_reply(struct audit_reply *rep, int len)
#endif
#ifdef AUDIT_FEATURE_BITMAP_CONTAINERID
rep->cont = NULL;
+ rep->capcontid = NULL;
#endif
if (!NLMSG_OK(rep->nlh, (unsigned int)len)) {
if (len == sizeof(rep->msg)) {
@@ -201,6 +202,9 @@ static int adjust_reply(struct audit_reply *rep, int len)
case AUDIT_SIGNAL_INFO2:
rep->signal_info2 = NLMSG_DATA(rep->nlh);
break;
+ case AUDIT_GET_CAPCONTID:
+ rep->capcontid = NLMSG_DATA(rep->nlh);
+ break;
case AUDIT_GET_CONTID:
rep->cont = NLMSG_DATA(rep->nlh);
break;
--
1.8.3.1
next prev parent reply other threads:[~2019-09-19 1:27 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-19 1:27 [PATCH ghau51/ghau40 v7 00/12] add support for audit container identifier Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 01/12] AUDIT_CONTAINER_OP message type basic support Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 02/12] AUDIT_CONTAINER_ID " Richard Guy Briggs
2019-09-19 1:27 ` Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 03/12] auditctl: add support for AUDIT_CONTID filter Richard Guy Briggs
2019-09-19 1:27 ` Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 04/12] add ausearch containerid support Richard Guy Briggs
2019-09-19 1:27 ` Richard Guy Briggs
2019-09-20 16:12 ` Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 05/12] start normalization " Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 06/12] libaudit: add support to get the task audit container identifier Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 07/12] signal_info: only print context if it is available Richard Guy Briggs
2019-09-19 1:27 ` Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 08/12] add support for audit_signal_info2 Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 09/12] contid: interpret correctly CONTAINER_ID contid field csv Richard Guy Briggs
2019-09-19 1:27 ` Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 10/12] contid: switch from /proc to netlink Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 11/12] loginuid/sessionid: " Richard Guy Briggs
2019-09-19 1:27 ` Richard Guy Briggs [this message]
2019-09-19 18:09 ` [PATCH ghau51/ghau40 v7 00/12] add support for audit container identifier Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1568856472-10173-13-git-send-email-rgb@redhat.com \
--to=rgb@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatel@redhat.com \
--cc=nhorman@redhat.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.