* [PATCH][RFC] audit: log namespace inode numbers
@ 2013-12-21 3:32 Richard Guy Briggs
2013-12-21 9:01 ` William Roberts
2014-01-07 6:07 ` Stephan Mueller
0 siblings, 2 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2013-12-21 3:32 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs, Stephan Mueller
Log the namespace details of a task.
---
Does anyone have comments on this patch?
I'm looking for guidance on which types of messages should have namespace
information included. I've included too many, I suspect.
I also wonder if displaying these inode numbers in hexadecimal makes more sense
than decimal, since they are all based around 0xF0000000. These are all with
reference to the proc filesystem, so a device number should not be necessary to
qualify them.
include/linux/audit.h | 1 +
kernel/audit.c | 29 +++++++++++++++++++++++++++++
kernel/audit_watch.c | 1 +
kernel/auditfilter.c | 1 +
kernel/auditsc.c | 5 +++++
5 files changed, 37 insertions(+), 0 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 6976219..75fa602 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
struct filename;
extern void audit_log_session_info(struct audit_buffer *ab);
+extern void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk);
#ifdef CONFIG_AUDITSYSCALL
/* These are defined in auditsc.c */
diff --git a/kernel/audit.c b/kernel/audit.c
index dc03a30..b4c39a9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -62,7 +62,15 @@
#endif
#include <linux/freezer.h>
#include <linux/tty.h>
+#include <linux/nsproxy.h>
+#include <linux/utsname.h>
+#include <linux/ipc_namespace.h>
+#include "../fs/mount.h"
+#include <linux/mount.h>
+#include <linux/mnt_namespace.h>
#include <linux/pid_namespace.h>
+#include <net/net_namespace.h>
+#include <linux/user_namespace.h>
#include <net/netns/generic.h>
#include "audit.h"
@@ -292,6 +300,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
return rc;
audit_log_format(ab, "%s=%d old=%d", function_name, new, old);
audit_log_session_info(ab);
+ audit_log_namespace_info(ab, current);
rc = audit_log_task_context(ab);
if (rc)
allow_changes = 0; /* Something weird, deny request */
@@ -657,6 +666,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
return rc;
audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid);
audit_log_session_info(*ab);
+ audit_log_namespace_info(*ab, current);
audit_log_task_context(*ab);
return rc;
@@ -689,6 +699,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, "feature=%s old=%d new=%d old_lock=%d new_lock=%d res=%d",
audit_feature_names[which], !!old_feature, !!new_feature,
!!old_lock, !!new_lock, res);
@@ -1621,6 +1632,23 @@ void audit_log_session_info(struct audit_buffer *ab)
audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
}
+void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk)
+{
+ struct nsproxy *nsproxy;
+
+ rcu_read_lock();
+ audit_log_format(ab, " pidns=%x", task_active_pid_ns(tsk)->proc_inum);
+ nsproxy = task_nsproxy(tsk);
+ if (nsproxy != NULL) {
+ audit_log_format(ab, " usrns=%x", nsproxy->net_ns->user_ns->proc_inum);
+ audit_log_format(ab, " utsns=%x", nsproxy->uts_ns->proc_inum);
+ audit_log_format(ab, " ipcns=%x", nsproxy->ipc_ns->proc_inum);
+ audit_log_format(ab, " mntns=%x", nsproxy->mnt_ns->proc_inum);
+ audit_log_format(ab, " netns=%x", nsproxy->net_ns->proc_inum);
+ }
+ rcu_read_unlock();
+}
+
void audit_log_key(struct audit_buffer *ab, char *key)
{
audit_log_format(ab, " key=");
@@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char *operation, struct path *link)
goto out;
audit_log_format(ab, "op=%s", operation);
audit_log_task_info(ab, current);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " res=0");
audit_log_end(ab);
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 22831c4..2382a3e 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -245,6 +245,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
audit_log_format(ab, "auid=%u ses=%u op=",
from_kuid(&init_user_ns, audit_get_loginuid(current)),
audit_get_sessionid(current));
+ audit_log_namespace_info(ab, current);
audit_log_string(ab, op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 14a78cc..9c4b004 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
if (!ab)
return;
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
+ audit_log_namespace_info(ab, current);
audit_log_task_context(ab);
audit_log_format(ab, " op=");
audit_log_string(ab, action);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 10176cd..3c73a3b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -974,6 +974,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
+ audit_log_namespace_info(ab, current);
if (sid) {
if (security_secid_to_secctx(sid, &ctx, &len)) {
audit_log_format(ab, " obj=(none)");
@@ -1302,6 +1303,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
context->name_count);
audit_log_task_info(ab, tsk);
+ audit_log_namespace_info(ab, current);
audit_log_key(ab, context->filterkey);
audit_log_end(ab);
@@ -1987,6 +1989,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
current->pid, uid,
oldloginuid, loginuid, oldsessionid, sessionid,
!rc);
+ audit_log_namespace_info(ab, current);
audit_log_end(ab);
}
@@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
if (unlikely(!ab))
return;
audit_log_task(ab);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_end(ab);
}
@@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
if (unlikely(!ab))
return;
audit_log_task(ab);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_format(ab, " syscall=%ld", syscall);
audit_log_format(ab, " compat=%d", is_compat_task());
--
1.7.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH][RFC] audit: log namespace inode numbers
2013-12-21 3:32 [PATCH][RFC] audit: log namespace inode numbers Richard Guy Briggs
@ 2013-12-21 9:01 ` William Roberts
2014-01-14 3:08 ` Eric Paris
2014-01-07 6:07 ` Stephan Mueller
1 sibling, 1 reply; 6+ messages in thread
From: William Roberts @ 2013-12-21 9:01 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Stephan Mueller, linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 7932 bytes --]
I'm doing work now involving namespaces....the necessity is real. I'll
take a look early next week.
On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" <rgb@redhat.com> wrote:
> Log the namespace details of a task.
> ---
>
> Does anyone have comments on this patch?
>
> I'm looking for guidance on which types of messages should have namespace
> information included. I've included too many, I suspect.
>
> I also wonder if displaying these inode numbers in hexadecimal makes more
> sense
> than decimal, since they are all based around 0xF0000000. These are all
> with
> reference to the proc filesystem, so a device number should not be
> necessary to
> qualify them.
>
>
> include/linux/audit.h | 1 +
> kernel/audit.c | 29 +++++++++++++++++++++++++++++
> kernel/audit_watch.c | 1 +
> kernel/auditfilter.c | 1 +
> kernel/auditsc.c | 5 +++++
> 5 files changed, 37 insertions(+), 0 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 6976219..75fa602 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
> struct filename;
>
> extern void audit_log_session_info(struct audit_buffer *ab);
> +extern void audit_log_namespace_info(struct audit_buffer *ab, struct
> task_struct *tsk);
>
> #ifdef CONFIG_AUDITSYSCALL
> /* These are defined in auditsc.c */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index dc03a30..b4c39a9 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -62,7 +62,15 @@
> #endif
> #include <linux/freezer.h>
> #include <linux/tty.h>
> +#include <linux/nsproxy.h>
> +#include <linux/utsname.h>
> +#include <linux/ipc_namespace.h>
> +#include "../fs/mount.h"
> +#include <linux/mount.h>
> +#include <linux/mnt_namespace.h>
> #include <linux/pid_namespace.h>
> +#include <net/net_namespace.h>
> +#include <linux/user_namespace.h>
> #include <net/netns/generic.h>
>
> #include "audit.h"
> @@ -292,6 +300,7 @@ static int audit_log_config_change(char
> *function_name, int new, int old,
> return rc;
> audit_log_format(ab, "%s=%d old=%d", function_name, new, old);
> audit_log_session_info(ab);
> + audit_log_namespace_info(ab, current);
> rc = audit_log_task_context(ab);
> if (rc)
> allow_changes = 0; /* Something weird, deny request */
> @@ -657,6 +666,7 @@ static int audit_log_common_recv_msg(struct
> audit_buffer **ab, u16 msg_type)
> return rc;
> audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current),
> uid);
> audit_log_session_info(*ab);
> + audit_log_namespace_info(*ab, current);
> audit_log_task_context(*ab);
>
> return rc;
> @@ -689,6 +699,7 @@ static void audit_log_feature_change(int which, u32
> old_feature, u32 new_feature
> return;
>
> ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, "feature=%s old=%d new=%d old_lock=%d
> new_lock=%d res=%d",
> audit_feature_names[which], !!old_feature,
> !!new_feature,
> !!old_lock, !!new_lock, res);
> @@ -1621,6 +1632,23 @@ void audit_log_session_info(struct audit_buffer *ab)
> audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
> }
>
> +void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct
> *tsk)
> +{
> + struct nsproxy *nsproxy;
> +
> + rcu_read_lock();
> + audit_log_format(ab, " pidns=%x",
> task_active_pid_ns(tsk)->proc_inum);
> + nsproxy = task_nsproxy(tsk);
> + if (nsproxy != NULL) {
> + audit_log_format(ab, " usrns=%x",
> nsproxy->net_ns->user_ns->proc_inum);
> + audit_log_format(ab, " utsns=%x",
> nsproxy->uts_ns->proc_inum);
> + audit_log_format(ab, " ipcns=%x",
> nsproxy->ipc_ns->proc_inum);
> + audit_log_format(ab, " mntns=%x",
> nsproxy->mnt_ns->proc_inum);
> + audit_log_format(ab, " netns=%x",
> nsproxy->net_ns->proc_inum);
> + }
> + rcu_read_unlock();
> +}
> +
> void audit_log_key(struct audit_buffer *ab, char *key)
> {
> audit_log_format(ab, " key=");
> @@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char *operation,
> struct path *link)
> goto out;
> audit_log_format(ab, "op=%s", operation);
> audit_log_task_info(ab, current);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " res=0");
> audit_log_end(ab);
>
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index 22831c4..2382a3e 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -245,6 +245,7 @@ static void audit_watch_log_rule_change(struct
> audit_krule *r, struct audit_watc
> audit_log_format(ab, "auid=%u ses=%u op=",
> from_kuid(&init_user_ns,
> audit_get_loginuid(current)),
> audit_get_sessionid(current));
> + audit_log_namespace_info(ab, current);
> audit_log_string(ab, op);
> audit_log_format(ab, " path=");
> audit_log_untrustedstring(ab, w->path);
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 14a78cc..9c4b004 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char *action,
> struct audit_krule *rule, int re
> if (!ab)
> return;
> audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
> + audit_log_namespace_info(ab, current);
> audit_log_task_context(ab);
> audit_log_format(ab, " op=");
> audit_log_string(ab, action);
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 10176cd..3c73a3b 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -974,6 +974,7 @@ static int audit_log_pid_context(struct audit_context
> *context, pid_t pid,
> audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
> from_kuid(&init_user_ns, auid),
> from_kuid(&init_user_ns, uid), sessionid);
> + audit_log_namespace_info(ab, current);
> if (sid) {
> if (security_secid_to_secctx(sid, &ctx, &len)) {
> audit_log_format(ab, " obj=(none)");
> @@ -1302,6 +1303,7 @@ static void audit_log_exit(struct audit_context
> *context, struct task_struct *ts
> context->name_count);
>
> audit_log_task_info(ab, tsk);
> + audit_log_namespace_info(ab, current);
> audit_log_key(ab, context->filterkey);
> audit_log_end(ab);
>
> @@ -1987,6 +1989,7 @@ static void audit_log_set_loginuid(kuid_t
> koldloginuid, kuid_t kloginuid,
> current->pid, uid,
> oldloginuid, loginuid, oldsessionid, sessionid,
> !rc);
> + audit_log_namespace_info(ab, current);
> audit_log_end(ab);
> }
>
> @@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
> if (unlikely(!ab))
> return;
> audit_log_task(ab);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " sig=%ld", signr);
> audit_log_end(ab);
> }
> @@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long syscall, long
> signr, int code)
> if (unlikely(!ab))
> return;
> audit_log_task(ab);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " sig=%ld", signr);
> audit_log_format(ab, " syscall=%ld", syscall);
> audit_log_format(ab, " compat=%d", is_compat_task());
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
[-- Attachment #1.2: Type: text/html, Size: 9216 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][RFC] audit: log namespace inode numbers
2013-12-21 3:32 [PATCH][RFC] audit: log namespace inode numbers Richard Guy Briggs
2013-12-21 9:01 ` William Roberts
@ 2014-01-07 6:07 ` Stephan Mueller
2014-01-07 17:43 ` Richard Guy Briggs
1 sibling, 1 reply; 6+ messages in thread
From: Stephan Mueller @ 2014-01-07 6:07 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit
Am Freitag, 20. Dezember 2013, 22:32:29 schrieb Richard Guy Briggs:
Hi Richard,
>Log the namespace details of a task.
>---
>
>Does anyone have comments on this patch?
>
>I'm looking for guidance on which types of messages should have
>namespace information included. I've included too many, I suspect.
>
>I also wonder if displaying these inode numbers in hexadecimal makes
>more sense than decimal, since they are all based around 0xF0000000.
>These are all with reference to the proc filesystem, so a device
>number should not be necessary to qualify them.
I have a general question: why do you sprinkle so many callbacks to audit_log_namespace_info throughout the code? As namespaces apply only to the acting entities, i.e. the processes, wouldn't it be sufficient to only add it to audit_log_task_context? So, everywhere where the context is needed in the audit trail, we log something about the credentials of the process.
Ciao
Stephan
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][RFC] audit: log namespace inode numbers
2014-01-07 6:07 ` Stephan Mueller
@ 2014-01-07 17:43 ` Richard Guy Briggs
0 siblings, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2014-01-07 17:43 UTC (permalink / raw)
To: Stephan Mueller; +Cc: linux-audit
On 14/01/07, Stephan Mueller wrote:
> Am Freitag, 20. Dezember 2013, 22:32:29 schrieb Richard Guy Briggs:
>
> Hi Richard,
>
> >Log the namespace details of a task.
> >---
> >
> >Does anyone have comments on this patch?
> >
> >I'm looking for guidance on which types of messages should have
> >namespace information included. I've included too many, I suspect.
> >
> >I also wonder if displaying these inode numbers in hexadecimal makes
> >more sense than decimal, since they are all based around 0xF0000000.
> >These are all with reference to the proc filesystem, so a device
> >number should not be necessary to qualify them.
>
> I have a general question: why do you sprinkle so many callbacks to
> audit_log_namespace_info throughout the code? As namespaces apply only
> to the acting entities, i.e. the processes, wouldn't it be sufficient
> to only add it to audit_log_task_context? So, everywhere where the
> context is needed in the audit trail, we log something about the
> credentials of the process.
Yes, your suggestion is much cleaner. This was some of the lingering
doubt I had about where to add it. While reviewing, I found a duplicate
when called from audit_log_pid_context(). I also found a couple of
functions that don't have sufficient logging coverage
(audit_log_feature_change and audit_log_set_loginuid).
Thanks for the helpful review!
> Stephan
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][RFC] audit: log namespace inode numbers
2013-12-21 9:01 ` William Roberts
@ 2014-01-14 3:08 ` Eric Paris
2014-01-14 18:59 ` Richard Guy Briggs
0 siblings, 1 reply; 6+ messages in thread
From: Eric Paris @ 2014-01-14 3:08 UTC (permalink / raw)
To: William Roberts; +Cc: Richard Guy Briggs, Stephan Mueller, linux-audit
Somehow I managed to lose this patch, but a couple of comments.
Didn't Aris do this back at least as far back as March. Might want to
ask for his work.
audit_log_context() logs the LSM portion of a process. I don't believe
this should be added to that function.
What happens if namespaces are compiled out?
There's got to be more....
On Sat, 2013-12-21 at 04:01 -0500, William Roberts wrote:
> I'm doing work now involving namespaces....the necessity is real.
> I'll take a look early next week.
>
> On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" <rgb@redhat.com> wrote:
> Log the namespace details of a task.
> ---
>
> Does anyone have comments on this patch?
>
> I'm looking for guidance on which types of messages should
> have namespace
> information included. I've included too many, I suspect.
>
> I also wonder if displaying these inode numbers in hexadecimal
> makes more sense
> than decimal, since they are all based around 0xF0000000.
> These are all with
> reference to the proc filesystem, so a device number should
> not be necessary to
> qualify them.
>
>
> include/linux/audit.h | 1 +
> kernel/audit.c | 29 +++++++++++++++++++++++++++++
> kernel/audit_watch.c | 1 +
> kernel/auditfilter.c | 1 +
> kernel/auditsc.c | 5 +++++
> 5 files changed, 37 insertions(+), 0 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 6976219..75fa602 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
> struct filename;
>
> extern void audit_log_session_info(struct audit_buffer *ab);
> +extern void audit_log_namespace_info(struct audit_buffer *ab,
> struct task_struct *tsk);
>
> #ifdef CONFIG_AUDITSYSCALL
> /* These are defined in auditsc.c */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index dc03a30..b4c39a9 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -62,7 +62,15 @@
> #endif
> #include <linux/freezer.h>
> #include <linux/tty.h>
> +#include <linux/nsproxy.h>
> +#include <linux/utsname.h>
> +#include <linux/ipc_namespace.h>
> +#include "../fs/mount.h"
> +#include <linux/mount.h>
> +#include <linux/mnt_namespace.h>
> #include <linux/pid_namespace.h>
> +#include <net/net_namespace.h>
> +#include <linux/user_namespace.h>
> #include <net/netns/generic.h>
>
> #include "audit.h"
> @@ -292,6 +300,7 @@ static int audit_log_config_change(char
> *function_name, int new, int old,
> return rc;
> audit_log_format(ab, "%s=%d old=%d", function_name,
> new, old);
> audit_log_session_info(ab);
> + audit_log_namespace_info(ab, current);
> rc = audit_log_task_context(ab);
> if (rc)
> allow_changes = 0; /* Something weird, deny
> request */
> @@ -657,6 +666,7 @@ static int
> audit_log_common_recv_msg(struct audit_buffer **ab, u16
> msg_type)
> return rc;
> audit_log_format(*ab, "pid=%d uid=%u",
> task_tgid_vnr(current), uid);
> audit_log_session_info(*ab);
> + audit_log_namespace_info(*ab, current);
> audit_log_task_context(*ab);
>
> return rc;
> @@ -689,6 +699,7 @@ static void audit_log_feature_change(int
> which, u32 old_feature, u32 new_feature
> return;
>
> ab = audit_log_start(NULL, GFP_KERNEL,
> AUDIT_FEATURE_CHANGE);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, "feature=%s old=%d new=%d
> old_lock=%d new_lock=%d res=%d",
> audit_feature_names[which], !!
> old_feature, !!new_feature,
> !!old_lock, !!new_lock, res);
> @@ -1621,6 +1632,23 @@ void audit_log_session_info(struct
> audit_buffer *ab)
> audit_log_format(ab, " auid=%u ses=%u", auid,
> sessionid);
> }
>
> +void audit_log_namespace_info(struct audit_buffer *ab, struct
> task_struct *tsk)
> +{
> + struct nsproxy *nsproxy;
> +
> + rcu_read_lock();
> + audit_log_format(ab, " pidns=%x",
> task_active_pid_ns(tsk)->proc_inum);
> + nsproxy = task_nsproxy(tsk);
> + if (nsproxy != NULL) {
> + audit_log_format(ab, " usrns=%x",
> nsproxy->net_ns->user_ns->proc_inum);
> + audit_log_format(ab, " utsns=%x",
> nsproxy->uts_ns->proc_inum);
> + audit_log_format(ab, " ipcns=%x",
> nsproxy->ipc_ns->proc_inum);
> + audit_log_format(ab, " mntns=%x",
> nsproxy->mnt_ns->proc_inum);
> + audit_log_format(ab, " netns=%x",
> nsproxy->net_ns->proc_inum);
> + }
> + rcu_read_unlock();
> +}
> +
> void audit_log_key(struct audit_buffer *ab, char *key)
> {
> audit_log_format(ab, " key=");
> @@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char
> *operation, struct path *link)
> goto out;
> audit_log_format(ab, "op=%s", operation);
> audit_log_task_info(ab, current);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " res=0");
> audit_log_end(ab);
>
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index 22831c4..2382a3e 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -245,6 +245,7 @@ static void
> audit_watch_log_rule_change(struct audit_krule *r, struct
> audit_watc
> audit_log_format(ab, "auid=%u ses=%u op=",
> from_kuid(&init_user_ns,
> audit_get_loginuid(current)),
>
> audit_get_sessionid(current));
> + audit_log_namespace_info(ab, current);
> audit_log_string(ab, op);
> audit_log_format(ab, " path=");
> audit_log_untrustedstring(ab, w->path);
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 14a78cc..9c4b004 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char
> *action, struct audit_krule *rule, int re
> if (!ab)
> return;
> audit_log_format(ab, "auid=%u ses=%u" ,loginuid,
> sessionid);
> + audit_log_namespace_info(ab, current);
> audit_log_task_context(ab);
> audit_log_format(ab, " op=");
> audit_log_string(ab, action);
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 10176cd..3c73a3b 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -974,6 +974,7 @@ static int audit_log_pid_context(struct
> audit_context *context, pid_t pid,
> audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%
> d", pid,
> from_kuid(&init_user_ns, auid),
> from_kuid(&init_user_ns, uid),
> sessionid);
> + audit_log_namespace_info(ab, current);
> if (sid) {
> if (security_secid_to_secctx(sid, &ctx, &len))
> {
> audit_log_format(ab, " obj=(none)");
> @@ -1302,6 +1303,7 @@ static void audit_log_exit(struct
> audit_context *context, struct task_struct *ts
> context->name_count);
>
> audit_log_task_info(ab, tsk);
> + audit_log_namespace_info(ab, current);
> audit_log_key(ab, context->filterkey);
> audit_log_end(ab);
>
> @@ -1987,6 +1989,7 @@ static void
> audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> current->pid, uid,
> oldloginuid, loginuid, oldsessionid,
> sessionid,
> !rc);
> + audit_log_namespace_info(ab, current);
> audit_log_end(ab);
> }
>
> @@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
> if (unlikely(!ab))
> return;
> audit_log_task(ab);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " sig=%ld", signr);
> audit_log_end(ab);
> }
> @@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long
> syscall, long signr, int code)
> if (unlikely(!ab))
> return;
> audit_log_task(ab);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " sig=%ld", signr);
> audit_log_format(ab, " syscall=%ld", syscall);
> audit_log_format(ab, " compat=%d", is_compat_task());
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][RFC] audit: log namespace inode numbers
2014-01-14 3:08 ` Eric Paris
@ 2014-01-14 18:59 ` Richard Guy Briggs
0 siblings, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2014-01-14 18:59 UTC (permalink / raw)
To: Eric Paris; +Cc: Stephan Mueller, linux-audit
On 14/01/13, Eric Paris wrote:
> Somehow I managed to lose this patch, but a couple of comments.
>
> Didn't Aris do this back at least as far back as March. Might want to
> ask for his work.
>
> audit_log_context() logs the LSM portion of a process. I don't believe
> this should be added to that function.
Agreed. It seemed convenient at the time to drop it in the start of
that function, but it is misleading in name.
It really belongs in audit_log_task() and/or audit_log_task_info() and
those two functions seem redundant to me.
> What happens if namespaces are compiled out?
Good point. That part needs a rework.
> There's got to be more....
>
> On Sat, 2013-12-21 at 04:01 -0500, William Roberts wrote:
> > I'm doing work now involving namespaces....the necessity is real.
> > I'll take a look early next week.
> >
> > On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" <rgb@redhat.com> wrote:
> > Log the namespace details of a task.
> > ---
> >
> > Does anyone have comments on this patch?
> >
> > I'm looking for guidance on which types of messages should
> > have namespace
> > information included. I've included too many, I suspect.
> >
> > I also wonder if displaying these inode numbers in hexadecimal
> > makes more sense
> > than decimal, since they are all based around 0xF0000000.
> > These are all with
> > reference to the proc filesystem, so a device number should
> > not be necessary to
> > qualify them.
> >
> >
> > include/linux/audit.h | 1 +
> > kernel/audit.c | 29 +++++++++++++++++++++++++++++
> > kernel/audit_watch.c | 1 +
> > kernel/auditfilter.c | 1 +
> > kernel/auditsc.c | 5 +++++
> > 5 files changed, 37 insertions(+), 0 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 6976219..75fa602 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
> > struct filename;
> >
> > extern void audit_log_session_info(struct audit_buffer *ab);
> > +extern void audit_log_namespace_info(struct audit_buffer *ab,
> > struct task_struct *tsk);
> >
> > #ifdef CONFIG_AUDITSYSCALL
> > /* These are defined in auditsc.c */
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index dc03a30..b4c39a9 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -62,7 +62,15 @@
> > #endif
> > #include <linux/freezer.h>
> > #include <linux/tty.h>
> > +#include <linux/nsproxy.h>
> > +#include <linux/utsname.h>
> > +#include <linux/ipc_namespace.h>
> > +#include "../fs/mount.h"
> > +#include <linux/mount.h>
> > +#include <linux/mnt_namespace.h>
> > #include <linux/pid_namespace.h>
> > +#include <net/net_namespace.h>
> > +#include <linux/user_namespace.h>
> > #include <net/netns/generic.h>
> >
> > #include "audit.h"
> > @@ -292,6 +300,7 @@ static int audit_log_config_change(char
> > *function_name, int new, int old,
> > return rc;
> > audit_log_format(ab, "%s=%d old=%d", function_name,
> > new, old);
> > audit_log_session_info(ab);
> > + audit_log_namespace_info(ab, current);
> > rc = audit_log_task_context(ab);
> > if (rc)
> > allow_changes = 0; /* Something weird, deny
> > request */
> > @@ -657,6 +666,7 @@ static int
> > audit_log_common_recv_msg(struct audit_buffer **ab, u16
> > msg_type)
> > return rc;
> > audit_log_format(*ab, "pid=%d uid=%u",
> > task_tgid_vnr(current), uid);
> > audit_log_session_info(*ab);
> > + audit_log_namespace_info(*ab, current);
> > audit_log_task_context(*ab);
> >
> > return rc;
> > @@ -689,6 +699,7 @@ static void audit_log_feature_change(int
> > which, u32 old_feature, u32 new_feature
> > return;
> >
> > ab = audit_log_start(NULL, GFP_KERNEL,
> > AUDIT_FEATURE_CHANGE);
> > + audit_log_namespace_info(ab, current);
> > audit_log_format(ab, "feature=%s old=%d new=%d
> > old_lock=%d new_lock=%d res=%d",
> > audit_feature_names[which], !!
> > old_feature, !!new_feature,
> > !!old_lock, !!new_lock, res);
> > @@ -1621,6 +1632,23 @@ void audit_log_session_info(struct
> > audit_buffer *ab)
> > audit_log_format(ab, " auid=%u ses=%u", auid,
> > sessionid);
> > }
> >
> > +void audit_log_namespace_info(struct audit_buffer *ab, struct
> > task_struct *tsk)
> > +{
> > + struct nsproxy *nsproxy;
> > +
> > + rcu_read_lock();
> > + audit_log_format(ab, " pidns=%x",
> > task_active_pid_ns(tsk)->proc_inum);
> > + nsproxy = task_nsproxy(tsk);
> > + if (nsproxy != NULL) {
> > + audit_log_format(ab, " usrns=%x",
> > nsproxy->net_ns->user_ns->proc_inum);
> > + audit_log_format(ab, " utsns=%x",
> > nsproxy->uts_ns->proc_inum);
> > + audit_log_format(ab, " ipcns=%x",
> > nsproxy->ipc_ns->proc_inum);
> > + audit_log_format(ab, " mntns=%x",
> > nsproxy->mnt_ns->proc_inum);
> > + audit_log_format(ab, " netns=%x",
> > nsproxy->net_ns->proc_inum);
> > + }
> > + rcu_read_unlock();
> > +}
> > +
> > void audit_log_key(struct audit_buffer *ab, char *key)
> > {
> > audit_log_format(ab, " key=");
> > @@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char
> > *operation, struct path *link)
> > goto out;
> > audit_log_format(ab, "op=%s", operation);
> > audit_log_task_info(ab, current);
> > + audit_log_namespace_info(ab, current);
> > audit_log_format(ab, " res=0");
> > audit_log_end(ab);
> >
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index 22831c4..2382a3e 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -245,6 +245,7 @@ static void
> > audit_watch_log_rule_change(struct audit_krule *r, struct
> > audit_watc
> > audit_log_format(ab, "auid=%u ses=%u op=",
> > from_kuid(&init_user_ns,
> > audit_get_loginuid(current)),
> >
> > audit_get_sessionid(current));
> > + audit_log_namespace_info(ab, current);
> > audit_log_string(ab, op);
> > audit_log_format(ab, " path=");
> > audit_log_untrustedstring(ab, w->path);
> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index 14a78cc..9c4b004 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char
> > *action, struct audit_krule *rule, int re
> > if (!ab)
> > return;
> > audit_log_format(ab, "auid=%u ses=%u" ,loginuid,
> > sessionid);
> > + audit_log_namespace_info(ab, current);
> > audit_log_task_context(ab);
> > audit_log_format(ab, " op=");
> > audit_log_string(ab, action);
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 10176cd..3c73a3b 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -974,6 +974,7 @@ static int audit_log_pid_context(struct
> > audit_context *context, pid_t pid,
> > audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%
> > d", pid,
> > from_kuid(&init_user_ns, auid),
> > from_kuid(&init_user_ns, uid),
> > sessionid);
> > + audit_log_namespace_info(ab, current);
> > if (sid) {
> > if (security_secid_to_secctx(sid, &ctx, &len))
> > {
> > audit_log_format(ab, " obj=(none)");
> > @@ -1302,6 +1303,7 @@ static void audit_log_exit(struct
> > audit_context *context, struct task_struct *ts
> > context->name_count);
> >
> > audit_log_task_info(ab, tsk);
> > + audit_log_namespace_info(ab, current);
> > audit_log_key(ab, context->filterkey);
> > audit_log_end(ab);
> >
> > @@ -1987,6 +1989,7 @@ static void
> > audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> > current->pid, uid,
> > oldloginuid, loginuid, oldsessionid,
> > sessionid,
> > !rc);
> > + audit_log_namespace_info(ab, current);
> > audit_log_end(ab);
> > }
> >
> > @@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
> > if (unlikely(!ab))
> > return;
> > audit_log_task(ab);
> > + audit_log_namespace_info(ab, current);
> > audit_log_format(ab, " sig=%ld", signr);
> > audit_log_end(ab);
> > }
> > @@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long
> > syscall, long signr, int code)
> > if (unlikely(!ab))
> > return;
> > audit_log_task(ab);
> > + audit_log_namespace_info(ab, current);
> > audit_log_format(ab, " sig=%ld", signr);
> > audit_log_format(ab, " syscall=%ld", syscall);
> > audit_log_format(ab, " compat=%d", is_compat_task());
> > --
> > 1.7.1
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-01-14 18:59 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-21 3:32 [PATCH][RFC] audit: log namespace inode numbers Richard Guy Briggs
2013-12-21 9:01 ` William Roberts
2014-01-14 3:08 ` Eric Paris
2014-01-14 18:59 ` Richard Guy Briggs
2014-01-07 6:07 ` Stephan Mueller
2014-01-07 17:43 ` Richard Guy Briggs
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox