[PATCH RFC] audit: provide namespace information in user originated records

[PATCH RFC] audit: provide namespace information in user originated records

[Aristeu Rozanski]

(re-sending this, linux-audit is members only it seems)

This patchset introduces a new audit record to follow all USER records which
provides namespace information of the process. The idea is to allow processes
in containers to create records in the host system while providing means to be
filtered out.

For each new namespace, a unique procfs inode number is allocated and this
number has been used by userspace to determine which processes belong to the
same namespace. These numbers are used in the new audit record.

Applications such as libvirt-sandbox and lxc can then report the same numbers
when a container is created and destroyed allowing to map records to a certain
container. Maybe the next step would be having a record for whenever a new
namespace is created?

First 6 patches are needed in order to get each namespace's inode number.
Patch 7 properly defines the new record that is related to the USER record
Patch 8 allows USER records to be generated from namespaces

Here's an example of output:
type=CRED_DISP msg=audit(1363528861.403:311): pid=20016 uid=0 auid=0 ses=45 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=UNKNOWN[1327] msg=audit(1363528861.403:311): mnt=4026531840 net=4026531956 uts=4026531838 ipc=4026531839 pid=4026531836 user=4026531837

Notes:
- this is a RFC, all sorts of feedback are much appreciated
- while the last patch allows a new userns to send audit records, I haven't
  look yet on making sure it has proper capabilities so regular users'
  containers can create records
- the record number allocated is just a draft. If this patchset evolves into
  something that can be merged, please advise which number number is the best
  choice

 fs/namespace.c                 |   14 +++++++
 include/linux/ipc_namespace.h  |    1
 include/linux/mnt_namespace.h  |    2 +
 include/linux/pid_namespace.h  |    1
 include/linux/user_namespace.h |    1
 include/linux/utsname.h        |    1
 include/net/net_namespace.h    |    1
 include/uapi/linux/audit.h     |    1
 ipc/namespace.c                |   14 +++++++
 kernel/audit.c                 |   76 +++++++++++++++++++++++++++++++++++++----
 kernel/pid_namespace.c         |   11 +++++
 kernel/user_namespace.c        |    5 ++
 kernel/utsname.c               |   14 +++++++
 net/core/net_namespace.c       |   14 +++++++
 14 files changed, 150 insertions(+), 6 deletions(-)

[PATCH RFC 1/8] mntns: introduce mntns_get_inum()

[Aristeu Rozanski]

This allows other parts of the kernel to have access to userspace
visible namespace identification.

Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
---
 fs/namespace.c                |   14 ++++++++++++++
 include/linux/mnt_namespace.h |    2 ++
 2 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 50ca17d..b8a888f 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2792,6 +2792,20 @@ static unsigned int mntns_inum(void *ns)
 	return mnt_ns->proc_inum;
 }
 
+unsigned int mntns_get_inum(struct task_struct *tsk)
+{
+	struct nsproxy *nsproxy;
+	int rc = 0;
+
+	rcu_read_lock();
+	nsproxy = task_nsproxy(tsk);
+	if (nsproxy)
+		rc = mntns_inum(nsproxy->mnt_ns);
+	rcu_read_unlock();
+
+	return rc;
+}
+
 const struct proc_ns_operations mntns_operations = {
 	.name		= "mnt",
 	.type		= CLONE_NEWNS,
diff --git a/include/linux/mnt_namespace.h b/include/linux/mnt_namespace.h
index 12b2ab5..b6afe65 100644
--- a/include/linux/mnt_namespace.h
+++ b/include/linux/mnt_namespace.h
@@ -5,10 +5,12 @@
 struct mnt_namespace;
 struct fs_struct;
 struct user_namespace;
+struct task_struct;
 
 extern struct mnt_namespace *copy_mnt_ns(unsigned long, struct mnt_namespace *,
 		struct user_namespace *, struct fs_struct *);
 extern void put_mnt_ns(struct mnt_namespace *ns);
+extern unsigned int mntns_get_inum(struct task_struct *tsk);
 
 extern const struct file_operations proc_mounts_operations;
 extern const struct file_operations proc_mountinfo_operations;
-- 
1.7.1

[PATCH RFC 2/8] ipcns: introduce ipcns_get_inum()

[Aristeu Rozanski]

This allows other parts of the kernel to have access to userspace
visible namespace identification.

Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
---
 include/linux/ipc_namespace.h |    1 +
 ipc/namespace.c               |   14 ++++++++++++++
 2 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
index ae221a7..f9fb114 100644
--- a/include/linux/ipc_namespace.h
+++ b/include/linux/ipc_namespace.h
@@ -146,6 +146,7 @@ static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns)
 }
 
 extern void put_ipc_ns(struct ipc_namespace *ns);
+extern unsigned int ipcns_get_inum(struct task_struct *tsk);
 #else
 static inline struct ipc_namespace *copy_ipcs(unsigned long flags,
 	struct user_namespace *user_ns, struct ipc_namespace *ns)
diff --git a/ipc/namespace.c b/ipc/namespace.c
index 7c1fa45..4615db5 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -188,6 +188,20 @@ static unsigned int ipcns_inum(void *vp)
 	return ns->proc_inum;
 }
 
+unsigned int ipcns_get_inum(struct task_struct *tsk)
+{
+	struct nsproxy *nsproxy;
+	unsigned int rc = 0;
+
+	rcu_read_lock();
+	nsproxy = task_nsproxy(tsk);
+	if (nsproxy)
+		rc = ipcns_inum(nsproxy->ipc_ns);
+	rcu_read_unlock();
+
+	return rc;
+}
+
 const struct proc_ns_operations ipcns_operations = {
 	.name		= "ipc",
 	.type		= CLONE_NEWIPC,
-- 
1.7.1

[PATCH RFC 3/8] pidns: introduce pidns_get_inum()

[Aristeu Rozanski]

This allows other parts of the kernel to have access to userspace
visible namespace identification.

Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
---
 include/linux/pid_namespace.h |    1 +
 kernel/pid_namespace.c        |   11 +++++++++++
 2 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h
index 215e5e3..8223654 100644
--- a/include/linux/pid_namespace.h
+++ b/include/linux/pid_namespace.h
@@ -57,6 +57,7 @@ extern struct pid_namespace *copy_pid_ns(unsigned long flags,
 extern void zap_pid_ns_processes(struct pid_namespace *pid_ns);
 extern int reboot_pid_ns(struct pid_namespace *pid_ns, int cmd);
 extern void put_pid_ns(struct pid_namespace *ns);
+extern unsigned int pidns_get_inum(struct task_struct *tsk);
 
 #else /* !CONFIG_PID_NS */
 #include <linux/err.h>
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index c1c3dc1..5e463ff 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -361,6 +361,17 @@ static unsigned int pidns_inum(void *ns)
 	return pid_ns->proc_inum;
 }
 
+unsigned int pidns_get_inum(struct task_struct *tsk)
+{
+	unsigned int rc;
+
+	rcu_read_lock();
+	rc = pidns_inum(task_active_pid_ns(tsk));
+	rcu_read_unlock();
+
+	return rc;
+}
+
 const struct proc_ns_operations pidns_operations = {
 	.name		= "pid",
 	.type		= CLONE_NEWPID,
-- 
1.7.1

[PATCH RFC 4/8] userns: introduce userns_get_inum()

[Aristeu Rozanski]

This allows other parts of the kernel to have access to userspace
visible namespace identification.

Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
---
 include/linux/user_namespace.h |    1 +
 kernel/user_namespace.c        |    5 +++++
 2 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 4ce0093..520d8b2 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -56,6 +56,7 @@ extern struct seq_operations proc_projid_seq_operations;
 extern ssize_t proc_uid_map_write(struct file *, const char __user *, size_t, loff_t *);
 extern ssize_t proc_gid_map_write(struct file *, const char __user *, size_t, loff_t *);
 extern ssize_t proc_projid_map_write(struct file *, const char __user *, size_t, loff_t *);
+extern unsigned int userns_get_inum(struct task_struct *tsk);
 #else
 
 static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 8b65083..9a0db6d 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -856,6 +856,11 @@ static unsigned int userns_inum(void *ns)
 	return user_ns->proc_inum;
 }
 
+unsigned int userns_get_inum(struct task_struct *tsk)
+{
+	return userns_inum(task_cred_xxx(tsk, user_ns));
+}
+
 const struct proc_ns_operations userns_operations = {
 	.name		= "user",
 	.type		= CLONE_NEWUSER,
-- 
1.7.1

[PATCH RFC 5/8] utsns: introduce utsns_get_inum()

[Aristeu Rozanski]

This allows other parts of the kernel to have access to userspace
visible namespace identification.

Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
---
 include/linux/utsname.h |    1 +
 kernel/utsname.c        |   14 ++++++++++++++
 2 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/include/linux/utsname.h b/include/linux/utsname.h
index 239e277..eed8ca8 100644
--- a/include/linux/utsname.h
+++ b/include/linux/utsname.h
@@ -36,6 +36,7 @@ static inline void get_uts_ns(struct uts_namespace *ns)
 extern struct uts_namespace *copy_utsname(unsigned long flags,
 	struct user_namespace *user_ns, struct uts_namespace *old_ns);
 extern void free_uts_ns(struct kref *kref);
+extern unsigned int utsns_get_inum(struct task_struct *tsk);
 
 static inline void put_uts_ns(struct uts_namespace *ns)
 {
diff --git a/kernel/utsname.c b/kernel/utsname.c
index a47fc5d..146e95c 100644
--- a/kernel/utsname.c
+++ b/kernel/utsname.c
@@ -130,6 +130,20 @@ static unsigned int utsns_inum(void *vp)
 	return ns->proc_inum;
 }
 
+unsigned int utsns_get_inum(struct task_struct *tsk)
+{
+	struct nsproxy *nsproxy;
+	unsigned int rc = 0;
+
+	rcu_read_lock();
+	nsproxy = task_nsproxy(tsk);
+	if (nsproxy)
+		rc = utsns_inum(task_nsproxy(tsk)->uts_ns);
+	rcu_read_unlock();
+
+	return rc;
+}
+
 const struct proc_ns_operations utsns_operations = {
 	.name		= "uts",
 	.type		= CLONE_NEWUTS,
-- 
1.7.1

[PATCH RFC 6/8] netns: introduce netns_get_inum()

[Aristeu Rozanski]

This allows other parts of the kernel to have access to userspace
visible namespace identification.

Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
---
 include/net/net_namespace.h |    1 +
 net/core/net_namespace.c    |   14 ++++++++++++++
 2 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index de644bc..bb24cf4 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -134,6 +134,7 @@ extern struct net init_net;
 #ifdef CONFIG_NET_NS
 extern struct net *copy_net_ns(unsigned long flags,
 	struct user_namespace *user_ns, struct net *old_net);
+extern unsigned int netns_get_inum(struct task_struct *tsk);
 
 #else /* CONFIG_NET_NS */
 #include <linux/sched.h>
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 80e271d..76c89e5 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -664,6 +664,20 @@ static unsigned int netns_inum(void *ns)
 	return net->proc_inum;
 }
 
+unsigned int netns_get_inum(struct task_struct *tsk)
+{
+	struct nsproxy *nsproxy;
+	unsigned int rc = 0;
+
+	rcu_read_lock();
+	nsproxy = task_nsproxy(tsk);
+	if (nsproxy)
+		rc = netns_inum(nsproxy->net_ns);
+	rcu_read_unlock();
+
+	return rc;
+}
+
 const struct proc_ns_operations netns_operations = {
 	.name		= "net",
 	.type		= CLONE_NEWNET,
-- 
1.7.1

[PATCH RFC 7/8] audit: report namespace information along with USER events

[Aristeu Rozanski]

For userspace generated events, include a record with the namespace
procfs inode numbers the process belongs to. This allows to track down
and filter audit messages by userspace.

Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
---
 include/uapi/linux/audit.h |    1 +
 kernel/audit.c             |   51 +++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 51 insertions(+), 1 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 9f096f1..3ec3ccb 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -106,6 +106,7 @@
 #define AUDIT_NETFILTER_PKT	1324	/* Packets traversing netfilter chains */
 #define AUDIT_NETFILTER_CFG	1325	/* Netfilter chain modifications */
 #define AUDIT_SECCOMP		1326	/* Secure Computing event */
+#define AUDIT_USER_NAMESPACE	1327	/* Information about process' namespaces */
 
 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 58db117..b17f9c0 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -62,6 +62,11 @@
 #include <linux/freezer.h>
 #include <linux/tty.h>
 #include <linux/pid_namespace.h>
+#include <linux/ipc_namespace.h>
+#include <linux/mnt_namespace.h>
+#include <linux/utsname.h>
+#include <linux/user_namespace.h>
+#include <net/net_namespace.h>
 
 #include "audit.h"
 
@@ -641,6 +646,49 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
 	return rc;
 }
 
+#ifdef CONFIG_NAMESPACES
+static int audit_log_namespaces(struct task_struct *tsk,
+				struct sk_buff *skb)
+{
+	struct audit_context *ctx = tsk->audit_context;
+	struct audit_buffer *ab;
+
+	if (!audit_enabled)
+		return 0;
+
+	ab = audit_log_start(ctx, GFP_KERNEL, AUDIT_USER_NAMESPACE);
+	if (unlikely(!ab))
+		return -ENOMEM;
+
+	audit_log_format(ab, "mnt=%u", mntns_get_inum(tsk));
+#ifdef CONFIG_NET_NS
+	audit_log_format(ab, " net=%u", netns_get_inum(tsk));
+#endif
+#ifdef CONFIG_UTS_NS
+	audit_log_format(ab, " uts=%u", utsns_get_inum(tsk));
+#endif
+#ifdef CONFIG_IPC_NS
+	audit_log_format(ab, " ipc=%u", ipcns_get_inum(tsk));
+#endif
+#ifdef CONFIG_PID_NS
+	audit_log_format(ab, " pid=%u", pidns_get_inum(tsk));
+#endif
+#ifdef CONFIG_USER_NS
+	audit_log_format(ab, " user=%u", userns_get_inum(tsk));
+#endif  
+	audit_set_pid(ab, NETLINK_CB(skb).portid);
+	audit_log_end(ab);
+
+	return 0;
+}
+#else
+static inline int audit_log_namespaces(struct task_struct *tsk,
+				       struct sk_buff *skb)
+{
+	return 0;
+}
+#endif
+
 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 {
 	u32			seq, sid;
@@ -741,7 +789,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 			}
 			audit_log_common_recv_msg(&ab, msg_type,
 						  loginuid, sessionid, sid,
-						  NULL);
+						  current->audit_context);
 
 			if (msg_type != AUDIT_USER_TTY)
 				audit_log_format(ab, " msg='%.1024s'",
@@ -758,6 +806,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 			}
 			audit_set_pid(ab, NETLINK_CB(skb).portid);
 			audit_log_end(ab);
+			audit_log_namespaces(current, skb);
 		}
 		break;
 	case AUDIT_ADD:
-- 
1.7.1

[PATCH RFC 8/8] audit: allow user records to be created inside a container

[Aristeu Rozanski]

Since user events will be followed by namespace information, userspace
can filter off undesired container records.

Signed-off-by: Aristeu Rozanski <arozansk@redhat.com>
---
 kernel/audit.c |   25 ++++++++++++++++++++-----
 1 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index b17f9c0..cc6ffc9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -570,6 +570,23 @@ out:
 	kfree(reply);
 }
 
+static int audit_namespace_check(struct task_struct *tsk, u16 msg_type)
+{
+	/* USER messages are allowed from inside containers */
+	switch (msg_type) {
+	case AUDIT_USER:
+	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
+	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
+		return 1;
+	default:
+		if ((current_user_ns() != &init_user_ns) ||
+		    (task_active_pid_ns(current) != &init_pid_ns))
+			return 0;
+		break;
+	}
+	return 1;
+}
+
 /*
  * Check for appropriate CAP_AUDIT_ capabilities on incoming audit
  * control messages.
@@ -578,9 +595,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 {
 	int err = 0;
 
-	/* Only support the initial namespaces for now. */
-	if ((current_user_ns() != &init_user_ns) ||
-	    (task_active_pid_ns(current) != &init_pid_ns))
+	if (!audit_namespace_check(current, msg_type))
 		return -EPERM;
 
 	switch (msg_type) {
@@ -597,13 +612,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 	case AUDIT_TTY_SET:
 	case AUDIT_TRIM:
 	case AUDIT_MAKE_EQUIV:
-		if (!capable(CAP_AUDIT_CONTROL))
+		if (!nsown_capable(CAP_AUDIT_CONTROL))
 			err = -EPERM;
 		break;
 	case AUDIT_USER:
 	case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
 	case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
-		if (!capable(CAP_AUDIT_WRITE))
+		if (!nsown_capable(CAP_AUDIT_WRITE))
 			err = -EPERM;
 		break;
 	default:  /* bad msg */
-- 
1.7.1