Re: [PATCH RFC 7/8] audit: report namespace information along with USER events

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: Aristeu Rozanski <arozansk@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH RFC 7/8] audit: report namespace information along with USER events
Date: Mon, 18 Mar 2013 14:44:33 -0700	[thread overview]
Message-ID: <871ubc9yda.fsf@xmission.com> (raw)
In-Reply-To: <1363619405-6419-8-git-send-email-arozansk@redhat.com> (Aristeu Rozanski's message of "Mon, 18 Mar 2013 11:10:04 -0400")

Aristeu Rozanski <arozansk@redhat.com> writes:

> For userspace generated events, include a record with the namespace
> procfs inode numbers the process belongs to. This allows to track down
> and filter audit messages by userspace.

I am not comfortable with using the inode numbers this way.  It does not
pass the test of can I migrate a container and still have this work
test.  Any kind of kernel assigned name for namespaces fails that test.

I also don't like that you don't include the procfs device number.  An
inode number means nothing without knowing which filesystem you are
referring to.

It may never happen but I reserve the right to have the inode numbers
for namespaces to show up differently in different instances of procfs.

Beyond that I think this usage is possibly buggy by using two audit
records for one event.

> Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
> ---
>  include/uapi/linux/audit.h |    1 +
>  kernel/audit.c             |   51 +++++++++++++++++++++++++++++++++++++++++++-
>  2 files changed, 51 insertions(+), 1 deletions(-)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 9f096f1..3ec3ccb 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -106,6 +106,7 @@
>  #define AUDIT_NETFILTER_PKT	1324	/* Packets traversing netfilter chains */
>  #define AUDIT_NETFILTER_CFG	1325	/* Netfilter chain modifications */
>  #define AUDIT_SECCOMP		1326	/* Secure Computing event */
> +#define AUDIT_USER_NAMESPACE	1327	/* Information about process' namespaces */
>  
>  #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
>  #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 58db117..b17f9c0 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -62,6 +62,11 @@
>  #include <linux/freezer.h>
>  #include <linux/tty.h>
>  #include <linux/pid_namespace.h>
> +#include <linux/ipc_namespace.h>
> +#include <linux/mnt_namespace.h>
> +#include <linux/utsname.h>
> +#include <linux/user_namespace.h>
> +#include <net/net_namespace.h>
>  
>  #include "audit.h"
>  
> @@ -641,6 +646,49 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
>  	return rc;
>  }
>  
> +#ifdef CONFIG_NAMESPACES
> +static int audit_log_namespaces(struct task_struct *tsk,
> +				struct sk_buff *skb)
> +{
> +	struct audit_context *ctx = tsk->audit_context;
> +	struct audit_buffer *ab;
> +
> +	if (!audit_enabled)
> +		return 0;
> +
> +	ab = audit_log_start(ctx, GFP_KERNEL, AUDIT_USER_NAMESPACE);
> +	if (unlikely(!ab))
> +		return -ENOMEM;
> +
> +	audit_log_format(ab, "mnt=%u", mntns_get_inum(tsk));
> +#ifdef CONFIG_NET_NS
> +	audit_log_format(ab, " net=%u", netns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_UTS_NS
> +	audit_log_format(ab, " uts=%u", utsns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_IPC_NS
> +	audit_log_format(ab, " ipc=%u", ipcns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_PID_NS
> +	audit_log_format(ab, " pid=%u", pidns_get_inum(tsk));
> +#endif
> +#ifdef CONFIG_USER_NS
> +	audit_log_format(ab, " user=%u", userns_get_inum(tsk));
> +#endif  
> +	audit_set_pid(ab, NETLINK_CB(skb).portid);
> +	audit_log_end(ab);
> +
> +	return 0;
> +}
> +#else
> +static inline int audit_log_namespaces(struct task_struct *tsk,
> +				       struct sk_buff *skb)
> +{
> +	return 0;
> +}
> +#endif
> +
>  static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  {
>  	u32			seq, sid;
> @@ -741,7 +789,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  			}
>  			audit_log_common_recv_msg(&ab, msg_type,
>  						  loginuid, sessionid, sid,
> -						  NULL);
> +						  current->audit_context);
>  
>  			if (msg_type != AUDIT_USER_TTY)
>  				audit_log_format(ab, " msg='%.1024s'",
> @@ -758,6 +806,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  			}
>  			audit_set_pid(ab, NETLINK_CB(skb).portid);
>  			audit_log_end(ab);
> +			audit_log_namespaces(current, skb);
>  		}
>  		break;
>  	case AUDIT_ADD:

next prev parent reply	other threads:[~2013-03-18 21:44 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1363619405-6419-1-git-send-email-arozansk@redhat.com>
     [not found] ` <1363619405-6419-9-git-send-email-arozansk@redhat.com>
2013-03-18 21:28   ` [PATCH RFC 8/8] audit: allow user records to be created inside a container Eric W. Biederman
     [not found] ` <1363619405-6419-8-git-send-email-arozansk@redhat.com>
2013-03-18 21:44   ` Eric W. Biederman [this message]
2013-03-19 12:08     ` [PATCH RFC 7/8] audit: report namespace information along with USER events Aristeu Rozanski
     [not found]     ` <871ubc9yda.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2014-01-24  6:19       ` Richard Guy Briggs
     [not found] ` <1363619405-6419-1-git-send-email-arozansk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-03-18 22:16   ` [PATCH RFC] audit: provide namespace information in user originated records Eric W. Biederman
     [not found]     ` <877gl48iaz.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-19 12:24       ` Aristeu Rozanski
     [not found]         ` <20130319122408.GC20187-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-03-20  0:00           ` Eric W. Biederman
     [not found]             ` <874ng7gcst.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-20 15:12               ` Serge Hallyn
2013-03-20 15:45               ` Aristeu Rozanski
     [not found]                 ` <20130320154503.GF20187-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-03-20 18:36                   ` Serge Hallyn
2013-03-20 18:42                     ` Eric Paris
2013-03-20 18:49                       ` Serge Hallyn
2013-03-20 19:01                         ` Eric Paris
2013-03-20 19:17                           ` Aristeu Rozanski
2013-03-20 19:19                           ` Serge Hallyn
2013-03-20 23:23                           ` Eric W. Biederman
     [not found]                             ` <87y5dh8xl7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-21  1:46                               ` Eric Paris
2013-03-21  2:21                                 ` Serge Hallyn
2013-03-21  4:48                                   ` Eric W. Biederman
2013-03-18 15:45 Aristeu Rozanski
2013-03-18 15:45 ` [PATCH RFC 7/8] audit: report namespace information along with USER events Aristeu Rozanski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871ubc9yda.fsf@xmission.com \
    --to=ebiederm@xmission.com \
    --cc=arozansk@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.