From: Richard Guy Briggs <rgb@redhat.com>
To: cgroups@vger.kernel.org, containers@lists.linux-foundation.org,
linux-api@vger.kernel.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org
Cc: mszeredi@redhat.com, luto@kernel.org, jlayton@redhat.com,
carlos@redhat.com, viro@zeniv.linux.org.uk, dhowells@redhat.com,
simo@redhat.com, trondmy@primarydata.com, eparis@parisplace.org,
serge@hallyn.com, ebiederm@xmission.com, madzcar@gmail.com,
Richard Guy Briggs <rgb@redhat.com>
Subject: [RFC PATCH V1 07/12] audit: add container aux record to watch/tree/mark
Date: Thu, 1 Mar 2018 14:41:10 -0500 [thread overview]
Message-ID: <6c071b3e4fbe848ccd692c7dc27c9f75589852c0.1519930146.git.rgb@redhat.com> (raw)
In-Reply-To: <cover.1519930146.git.rgb@redhat.com>
In-Reply-To: <cover.1519930146.git.rgb@redhat.com>
Add container ID information to mark, watch and tree rule standalone
records.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
kernel/audit_fsnotify.c | 5 ++++-
kernel/audit_tree.c | 5 ++++-
kernel/audit_watch.c | 33 +++++++++++++++++++--------------
3 files changed, 27 insertions(+), 16 deletions(-)
diff --git a/kernel/audit_fsnotify.c b/kernel/audit_fsnotify.c
index 52f368b..18c110d 100644
--- a/kernel/audit_fsnotify.c
+++ b/kernel/audit_fsnotify.c
@@ -124,10 +124,11 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c
{
struct audit_buffer *ab;
struct audit_krule *rule = audit_mark->rule;
+ struct audit_context *context = audit_alloc_local();
if (!audit_enabled)
return;
- ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
+ ab = audit_log_start(context, GFP_NOFS, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
audit_log_format(ab, "auid=%u ses=%u op=%s",
@@ -138,6 +139,8 @@ static void audit_mark_log_rule_change(struct audit_fsnotify_mark *audit_mark, c
audit_log_key(ab, rule->filterkey);
audit_log_format(ab, " list=%d res=1", rule->listnr);
audit_log_end(ab);
+ audit_log_container_info(context, "config", audit_get_containerid(current));
+ audit_free_context(context);
}
void audit_remove_mark(struct audit_fsnotify_mark *audit_mark)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index fd35312..2ad85d4 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -496,8 +496,9 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
static void audit_tree_log_remove_rule(struct audit_krule *rule)
{
struct audit_buffer *ab;
+ struct audit_context *context = audit_alloc_local();
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
audit_log_format(ab, "op=remove_rule");
@@ -506,6 +507,8 @@ static void audit_tree_log_remove_rule(struct audit_krule *rule)
audit_log_key(ab, rule->filterkey);
audit_log_format(ab, " list=%d res=1", rule->listnr);
audit_log_end(ab);
+ audit_log_container_info(context, "config", audit_get_containerid(current));
+ audit_free_context(context);
}
static void kill_rules(struct audit_tree *tree)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 9eb8b35..60d75a2 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -238,20 +238,25 @@ static struct audit_watch *audit_dupe_watch(struct audit_watch *old)
static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op)
{
- if (audit_enabled) {
- struct audit_buffer *ab;
- ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
- if (unlikely(!ab))
- return;
- audit_log_format(ab, "auid=%u ses=%u op=%s",
- from_kuid(&init_user_ns, audit_get_loginuid(current)),
- audit_get_sessionid(current), op);
- audit_log_format(ab, " path=");
- audit_log_untrustedstring(ab, w->path);
- audit_log_key(ab, r->filterkey);
- audit_log_format(ab, " list=%d res=1", r->listnr);
- audit_log_end(ab);
- }
+ struct audit_buffer *ab;
+ struct audit_context *context = audit_alloc_local();
+
+ if (!audit_enabled)
+ return;
+
+ ab = audit_log_start(context, GFP_NOFS, AUDIT_CONFIG_CHANGE);
+ if (unlikely(!ab))
+ return;
+ audit_log_format(ab, "auid=%u ses=%u op=%s",
+ from_kuid(&init_user_ns, audit_get_loginuid(current)),
+ audit_get_sessionid(current), op);
+ audit_log_format(ab, " path=");
+ audit_log_untrustedstring(ab, w->path);
+ audit_log_key(ab, r->filterkey);
+ audit_log_format(ab, " list=%d res=1", r->listnr);
+ audit_log_end(ab);
+ audit_log_container_info(context, "config", audit_get_containerid(current));
+ audit_free_context(context);
}
/* Update inode info in audit rules based on filesystem event. */
--
1.8.3.1
next prev parent reply other threads:[~2018-03-01 19:41 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-01 19:41 [RFC PATCH V1 00/12] audit: implement container id Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 05/12] audit: add containerid support for ptrace and signals Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 06/12] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2018-03-01 19:41 ` Richard Guy Briggs [this message]
2018-03-01 19:41 ` [RFC PATCH V1 08/12] audit: add containerid support for tty_audit Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 10/12] audit: add containerid support for seccomp and anom_abend records Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 11/12] debug audit: add container id Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 12/12] debug! " Richard Guy Briggs
[not found] ` <cover.1519930146.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-03-01 19:41 ` [RFC PATCH V1 01/12] " Richard Guy Briggs
2018-03-03 9:19 ` Serge E. Hallyn
2018-03-04 15:01 ` Paul Moore
[not found] ` <CAHC9VhQA23w39aaho1wkPawX7zxiGyTVQroZzpACKk8DK8-F8w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-05 8:16 ` Richard Guy Briggs
[not found] ` <2e5d93ee46feca915a101c2fc3062da674a98223.1519930146.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-03-02 1:41 ` Richard Guy Briggs
2018-03-02 15:48 ` Paul Moore
2018-03-02 18:23 ` Matthew Wilcox
[not found] ` <20180302182321.GE31400-PfSpb0PWhxZc2C7mugBRk2EX/6BAtgUQ@public.gmane.org>
2018-03-02 19:25 ` Paul Moore
2018-03-15 20:27 ` Stefan Berger
2018-03-16 3:58 ` Richard Guy Briggs
2018-04-18 18:45 ` Stefan Berger
2018-04-18 19:23 ` Richard Guy Briggs
2018-04-18 19:39 ` Stefan Berger
2018-04-18 19:51 ` Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 02/12] audit: log container info of syscalls Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 03/12] audit: add containerid filtering Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 04/12] audit: read container ID of a process Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 09/12] audit: add containerid support for config/feature/user records Richard Guy Briggs
2018-03-04 21:55 ` [RFC PATCH V1 00/12] audit: implement container id Mimi Zohar
[not found] ` <1520200557.10396.257.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-03-05 3:31 ` Richard Guy Briggs
[not found] ` <20180305033128.6sqreoo5olqwq5og-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-03-05 13:27 ` Mimi Zohar
2018-03-06 15:04 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6c071b3e4fbe848ccd692c7dc27c9f75589852c0.1519930146.git.rgb@redhat.com \
--to=rgb@redhat.com \
--cc=carlos@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jlayton@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=madzcar@gmail.com \
--cc=mszeredi@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=simo@redhat.com \
--cc=trondmy@primarydata.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).