From: Aristeu Rozanski <arozansk@redhat.com>
To: linux-audit@redhat.com
Subject: [PATCH RFC] audit: provide namespace information in user originated records
Date: Mon, 18 Mar 2013 11:45:39 -0400 [thread overview]
Message-ID: <1363621547-25239-1-git-send-email-arozansk@redhat.com> (raw)
(re-sending this, linux-audit is members only it seems)
This patchset introduces a new audit record to follow all USER records which
provides namespace information of the process. The idea is to allow processes
in containers to create records in the host system while providing means to be
filtered out.
For each new namespace, a unique procfs inode number is allocated and this
number has been used by userspace to determine which processes belong to the
same namespace. These numbers are used in the new audit record.
Applications such as libvirt-sandbox and lxc can then report the same numbers
when a container is created and destroyed allowing to map records to a certain
container. Maybe the next step would be having a record for whenever a new
namespace is created?
First 6 patches are needed in order to get each namespace's inode number.
Patch 7 properly defines the new record that is related to the USER record
Patch 8 allows USER records to be generated from namespaces
Here's an example of output:
type=CRED_DISP msg=audit(1363528861.403:311): pid=20016 uid=0 auid=0 ses=45 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=UNKNOWN[1327] msg=audit(1363528861.403:311): mnt=4026531840 net=4026531956 uts=4026531838 ipc=4026531839 pid=4026531836 user=4026531837
Notes:
- this is a RFC, all sorts of feedback are much appreciated
- while the last patch allows a new userns to send audit records, I haven't
look yet on making sure it has proper capabilities so regular users'
containers can create records
- the record number allocated is just a draft. If this patchset evolves into
something that can be merged, please advise which number number is the best
choice
fs/namespace.c | 14 +++++++
include/linux/ipc_namespace.h | 1
include/linux/mnt_namespace.h | 2 +
include/linux/pid_namespace.h | 1
include/linux/user_namespace.h | 1
include/linux/utsname.h | 1
include/net/net_namespace.h | 1
include/uapi/linux/audit.h | 1
ipc/namespace.c | 14 +++++++
kernel/audit.c | 76 +++++++++++++++++++++++++++++++++++++----
kernel/pid_namespace.c | 11 +++++
kernel/user_namespace.c | 5 ++
kernel/utsname.c | 14 +++++++
net/core/net_namespace.c | 14 +++++++
14 files changed, 150 insertions(+), 6 deletions(-)
next reply other threads:[~2013-03-18 15:45 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-18 15:45 Aristeu Rozanski [this message]
2013-03-18 15:45 ` [PATCH RFC 1/8] mntns: introduce mntns_get_inum() Aristeu Rozanski
2013-03-18 15:45 ` [PATCH RFC 2/8] ipcns: introduce ipcns_get_inum() Aristeu Rozanski
2013-03-18 15:45 ` [PATCH RFC 3/8] pidns: introduce pidns_get_inum() Aristeu Rozanski
2013-03-18 15:45 ` [PATCH RFC 4/8] userns: introduce userns_get_inum() Aristeu Rozanski
2013-03-18 15:45 ` [PATCH RFC 5/8] utsns: introduce utsns_get_inum() Aristeu Rozanski
2013-03-18 15:45 ` [PATCH RFC 6/8] netns: introduce netns_get_inum() Aristeu Rozanski
2013-03-18 15:45 ` [PATCH RFC 7/8] audit: report namespace information along with USER events Aristeu Rozanski
2013-03-18 15:45 ` [PATCH RFC 8/8] audit: allow user records to be created inside a container Aristeu Rozanski
[not found] <1363619405-6419-1-git-send-email-arozansk@redhat.com>
[not found] ` <1363619405-6419-1-git-send-email-arozansk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-03-18 22:16 ` [PATCH RFC] audit: provide namespace information in user originated records Eric W. Biederman
[not found] ` <877gl48iaz.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-19 12:24 ` Aristeu Rozanski
[not found] ` <20130319122408.GC20187-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-03-20 0:00 ` Eric W. Biederman
[not found] ` <874ng7gcst.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-20 15:12 ` Serge Hallyn
2013-03-20 15:45 ` Aristeu Rozanski
[not found] ` <20130320154503.GF20187-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-03-20 18:36 ` Serge Hallyn
2013-03-20 18:42 ` Eric Paris
2013-03-20 18:49 ` Serge Hallyn
2013-03-20 19:01 ` Eric Paris
2013-03-20 19:17 ` Aristeu Rozanski
2013-03-20 19:19 ` Serge Hallyn
2013-03-20 23:23 ` Eric W. Biederman
[not found] ` <87y5dh8xl7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-21 1:46 ` Eric Paris
2013-03-21 2:21 ` Serge Hallyn
2013-03-21 4:48 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1363621547-25239-1-git-send-email-arozansk@redhat.com \
--to=arozansk@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox