From mboxrd@z Thu Jan  1 00:00:00 1970
From: Aristeu Rozanski <arozansk@redhat.com>
Subject: [PATCH RFC] audit: provide namespace information in user originated
	records
Date: Mon, 18 Mar 2013 11:45:39 -0400
Message-ID: <1363621547-25239-1-git-send-email-arozansk@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from napanee.usersys.redhat.com (dhcp-186-117.bos.redhat.com
	[10.16.186.117])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id r2IFjq87019775
	for <linux-audit@redhat.com>; Mon, 18 Mar 2013 11:45:52 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

(re-sending this, linux-audit is members only it seems)

This patchset introduces a new audit record to follow all USER records which
provides namespace information of the process. The idea is to allow processes
in containers to create records in the host system while providing means to be
filtered out.

For each new namespace, a unique procfs inode number is allocated and this
number has been used by userspace to determine which processes belong to the
same namespace. These numbers are used in the new audit record.

Applications such as libvirt-sandbox and lxc can then report the same numbers
when a container is created and destroyed allowing to map records to a certain
container. Maybe the next step would be having a record for whenever a new
namespace is created?

First 6 patches are needed in order to get each namespace's inode number.
Patch 7 properly defines the new record that is related to the USER record
Patch 8 allows USER records to be generated from namespaces

Here's an example of output:
type=CRED_DISP msg=audit(1363528861.403:311): pid=20016 uid=0 auid=0 ses=45 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=UNKNOWN[1327] msg=audit(1363528861.403:311): mnt=4026531840 net=4026531956 uts=4026531838 ipc=4026531839 pid=4026531836 user=4026531837

Notes:
- this is a RFC, all sorts of feedback are much appreciated
- while the last patch allows a new userns to send audit records, I haven't
  look yet on making sure it has proper capabilities so regular users'
  containers can create records
- the record number allocated is just a draft. If this patchset evolves into
  something that can be merged, please advise which number number is the best
  choice

 fs/namespace.c                 |   14 +++++++
 include/linux/ipc_namespace.h  |    1
 include/linux/mnt_namespace.h  |    2 +
 include/linux/pid_namespace.h  |    1
 include/linux/user_namespace.h |    1
 include/linux/utsname.h        |    1
 include/net/net_namespace.h    |    1
 include/uapi/linux/audit.h     |    1
 ipc/namespace.c                |   14 +++++++
 kernel/audit.c                 |   76 +++++++++++++++++++++++++++++++++++++----
 kernel/pid_namespace.c         |   11 +++++
 kernel/user_namespace.c        |    5 ++
 kernel/utsname.c               |   14 +++++++
 net/core/net_namespace.c       |   14 +++++++
 14 files changed, 150 insertions(+), 6 deletions(-)