From: Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux-Audit Mailing List
<linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org,
eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org
Subject: Re: [RFC PATCH V1 00/12] audit: implement container id
Date: Sun, 04 Mar 2018 16:55:57 -0500 [thread overview]
Message-ID: <1520200557.10396.257.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <cover.1519930146.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote:
> Implement audit kernel container ID.
>
> This patchset is a preliminary RFC based on the proposal document (V3)
> posted:
> https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
>
> The first patch implements the proc fs write to set the audit container
> ID of a process, emitting an AUDIT_CONTAINER record.
>
> The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO
> if a container ID is present on a task.
>
> The third adds filtering to the exit, exclude and user lists.
>
> The 4th, implements reading the container ID from the proc filesystem
> for debugging. This isn't planned for upstream inclusion.
>
> The 5th adds signal and ptrace support.
>
> The 6th attempts to create a local audit context to be able to bind a
> standalone record with the container ID record.
>
> The 7th, 8th, 9th, 10th patches add container ID records to standalone
> records. Some of these may end up being syscall auxiliary records and
> won't need this specific support since they'll be supported via
> syscalls.
>
> The 11th is a temporary workaround due to the AUDIT_CONTAINER records
> not showing up as do AUDIT_LOGIN records. I suspect this is due to its
> range (1000 vs 1300), but the intent is to solve it.
>
> The 12th adds debug information not intended for upstream for those
> brave souls wanting to tinker with it in this early state.
>
> Feedback please!
Which tree can this patch set be applied to?
Mimi
> Here's a quick and dirty test script:
> echo 123455 > /proc/$$/containerid; echo $?
> sleep 4&
> child=$!; sleep 1
> echo 18446744073709551615 > /proc/$child/containerid; echo $?
> echo 123456 > /proc/$child/containerid; echo $?
> echo 123457 > /proc/$child/containerid; echo $?
> sleep 1
> ausearch -ts recent |grep " contid=18446744073709551615"; echo $?
> ausearch -ts recent |grep " contid=123456"; echo $?
> ausearch -ts recent |grep " contid=123457"; echo $?
> echo self:$$ contid:$( cat /proc/$$/containerid)
> echo child:$child contid:$( cat /proc/$child/containerid)
>
> containerid=123458
> key=tmpcontainerid
> auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule
> bash -c "sleep 1; echo test > /tmp/$key"&
> child=$!
> echo $containerid > /proc/$child/containerid
> sleep 2
> rm -f /tmp/$key
> ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record
> auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule
>
> See:
> https://github.com/linux-audit/audit-kernel/issues/32
> https://github.com/linux-audit/audit-userspace/issues/40
> https://github.com/linux-audit/audit-testsuite/issues/64
>
> Richard Guy Briggs (12):
> audit: add container id
> audit: log container info of syscalls
> audit: add containerid filtering
> audit: read container ID of a process
> audit: add containerid support for ptrace and signals
> audit: add support for non-syscall auxiliary records
> audit: add container aux record to watch/tree/mark
> audit: add containerid support for tty_audit
> audit: add containerid support for config/feature/user records
> audit: add containerid support for seccomp and anom_abend records
> debug audit: add container id
> debug! audit: add container id
>
> drivers/tty/tty_audit.c | 5 +-
> fs/proc/base.c | 63 +++++++++++++++++++
> include/linux/audit.h | 36 +++++++++++
> include/linux/init_task.h | 4 +-
> include/linux/sched.h | 1 +
> include/uapi/linux/audit.h | 9 ++-
> kernel/audit.c | 74 +++++++++++++++++++---
> kernel/audit.h | 3 +
> kernel/audit_fsnotify.c | 5 +-
> kernel/audit_tree.c | 5 +-
> kernel/audit_watch.c | 33 +++++-----
> kernel/auditfilter.c | 52 ++++++++++++++-
> kernel/auditsc.c | 154 +++++++++++++++++++++++++++++++++++++++++++--
> 13 files changed, 408 insertions(+), 36 deletions(-)
>
next prev parent reply other threads:[~2018-03-04 21:55 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-01 19:41 [RFC PATCH V1 00/12] audit: implement container id Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 05/12] audit: add containerid support for ptrace and signals Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 06/12] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 07/12] audit: add container aux record to watch/tree/mark Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 08/12] audit: add containerid support for tty_audit Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 10/12] audit: add containerid support for seccomp and anom_abend records Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 11/12] debug audit: add container id Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 12/12] debug! " Richard Guy Briggs
[not found] ` <cover.1519930146.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-03-01 19:41 ` [RFC PATCH V1 01/12] " Richard Guy Briggs
[not found] ` <2e5d93ee46feca915a101c2fc3062da674a98223.1519930146.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-03-02 1:41 ` Richard Guy Briggs
2018-03-02 15:48 ` Paul Moore
2018-03-02 18:23 ` Matthew Wilcox
[not found] ` <20180302182321.GE31400-PfSpb0PWhxZc2C7mugBRk2EX/6BAtgUQ@public.gmane.org>
2018-03-02 19:25 ` Paul Moore
2018-03-15 20:27 ` Stefan Berger
2018-03-16 3:58 ` Richard Guy Briggs
2018-04-18 18:45 ` Stefan Berger
2018-04-18 19:23 ` Richard Guy Briggs
2018-04-18 19:39 ` Stefan Berger
2018-04-18 19:51 ` Richard Guy Briggs
2018-03-03 9:19 ` Serge E. Hallyn
2018-03-04 15:01 ` Paul Moore
[not found] ` <CAHC9VhQA23w39aaho1wkPawX7zxiGyTVQroZzpACKk8DK8-F8w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-05 8:16 ` Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 02/12] audit: log container info of syscalls Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 03/12] audit: add containerid filtering Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 04/12] audit: read container ID of a process Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 09/12] audit: add containerid support for config/feature/user records Richard Guy Briggs
2018-03-04 21:55 ` Mimi Zohar [this message]
[not found] ` <1520200557.10396.257.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-03-05 3:31 ` [RFC PATCH V1 00/12] audit: implement container id Richard Guy Briggs
[not found] ` <20180305033128.6sqreoo5olqwq5og-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-03-05 13:27 ` Mimi Zohar
2018-03-06 15:04 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520200557.10396.257.camel@linux.vnet.ibm.com \
--to=zohar-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
--cc=carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \
--cc=jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).