From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aristeu Rozanski Subject: [PATCH RFC 7/8] audit: report namespace information along with USER events Date: Mon, 18 Mar 2013 11:45:46 -0400 Message-ID: <1363621547-25239-8-git-send-email-arozansk@redhat.com> References: <1363621547-25239-1-git-send-email-arozansk@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1363621547-25239-1-git-send-email-arozansk@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com For userspace generated events, include a record with the namespace procfs inode numbers the process belongs to. This allows to track down and filter audit messages by userspace. Signed-off-by: Aristeu Rozanski --- include/uapi/linux/audit.h | 1 + kernel/audit.c | 51 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 51 insertions(+), 1 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 9f096f1..3ec3ccb 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -106,6 +106,7 @@ #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */ #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */ #define AUDIT_SECCOMP 1326 /* Secure Computing event */ +#define AUDIT_USER_NAMESPACE 1327 /* Information about process' namespaces */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ diff --git a/kernel/audit.c b/kernel/audit.c index 58db117..b17f9c0 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -62,6 +62,11 @@ #include #include #include +#include +#include +#include +#include +#include #include "audit.h" @@ -641,6 +646,49 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type, return rc; } +#ifdef CONFIG_NAMESPACES +static int audit_log_namespaces(struct task_struct *tsk, + struct sk_buff *skb) +{ + struct audit_context *ctx = tsk->audit_context; + struct audit_buffer *ab; + + if (!audit_enabled) + return 0; + + ab = audit_log_start(ctx, GFP_KERNEL, AUDIT_USER_NAMESPACE); + if (unlikely(!ab)) + return -ENOMEM; + + audit_log_format(ab, "mnt=%u", mntns_get_inum(tsk)); +#ifdef CONFIG_NET_NS + audit_log_format(ab, " net=%u", netns_get_inum(tsk)); +#endif +#ifdef CONFIG_UTS_NS + audit_log_format(ab, " uts=%u", utsns_get_inum(tsk)); +#endif +#ifdef CONFIG_IPC_NS + audit_log_format(ab, " ipc=%u", ipcns_get_inum(tsk)); +#endif +#ifdef CONFIG_PID_NS + audit_log_format(ab, " pid=%u", pidns_get_inum(tsk)); +#endif +#ifdef CONFIG_USER_NS + audit_log_format(ab, " user=%u", userns_get_inum(tsk)); +#endif + audit_set_pid(ab, NETLINK_CB(skb).portid); + audit_log_end(ab); + + return 0; +} +#else +static inline int audit_log_namespaces(struct task_struct *tsk, + struct sk_buff *skb) +{ + return 0; +} +#endif + static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) { u32 seq, sid; @@ -741,7 +789,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } audit_log_common_recv_msg(&ab, msg_type, loginuid, sessionid, sid, - NULL); + current->audit_context); if (msg_type != AUDIT_USER_TTY) audit_log_format(ab, " msg='%.1024s'", @@ -758,6 +806,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } audit_set_pid(ab, NETLINK_CB(skb).portid); audit_log_end(ab); + audit_log_namespaces(current, skb); } break; case AUDIT_ADD: -- 1.7.1