From: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
To: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: toshi.okajima-+CUm20s59erQFUHtdCDX3A@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org,
eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Subject: [PATCH 02/20] audit: introduce configure option CONFIG_AUDIT_NS
Date: Thu, 24 Oct 2013 15:31:47 +0800 [thread overview]
Message-ID: <1382599925-25143-3-git-send-email-gaofeng@cn.fujitsu.com> (raw)
In-Reply-To: <1382599925-25143-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
This patch adds a new field audit_ns for struct
nsproxy, so task can access the audit_ns through
task->nsproxy->audit_ns.
Right now, we don't support create new audit_ns,
all tasks's audit_ns will point to the init_audit_ns.
next patches will add the feature creating new
audit namespace.
Signed-off-by: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
---
include/linux/audit_namespace.h | 51 +++++++++++++++++++++++++++++++++++++++++
include/linux/nsproxy.h | 11 +++++----
init/Kconfig | 10 ++++++++
kernel/Makefile | 2 +-
kernel/audit_namespace.c | 8 +++++++
kernel/nsproxy.c | 16 ++++++++++++-
6 files changed, 91 insertions(+), 7 deletions(-)
create mode 100644 include/linux/audit_namespace.h
create mode 100644 kernel/audit_namespace.c
diff --git a/include/linux/audit_namespace.h b/include/linux/audit_namespace.h
new file mode 100644
index 0000000..ac22649
--- /dev/null
+++ b/include/linux/audit_namespace.h
@@ -0,0 +1,51 @@
+#ifndef __LINUX_AUDIT_NAMESPACE_H
+#define __LINUX_AUDIT_NAMESPACE_H
+
+#include <linux/audit.h>
+#include <linux/atomic.h>
+#include <linux/slab.h>
+#include <linux/user_namespace.h>
+
+struct audit_namespace {
+ atomic_t count;
+ struct user_namespace *user_ns;
+};
+
+extern struct audit_namespace init_audit_ns;
+
+#if defined(CONFIG_AUDIT_NS)
+static inline
+struct audit_namespace *get_audit_ns(struct audit_namespace *ns)
+{
+ atomic_inc(&ns->count);
+ return ns;
+}
+
+static inline
+void put_audit_ns(struct audit_namespace *ns)
+{
+ if (atomic_dec_and_test(&ns->count)) {
+ put_user_ns(ns->user_ns);
+ kfree(ns);
+ }
+}
+#else
+static inline
+struct audit_namespace *get_audit_ns(struct audit_namespace *ns)
+{
+ return ns;
+}
+
+static inline
+void put_audit_ns(struct audit_namespace *ns)
+{
+
+}
+#endif
+
+static inline struct
+audit_namespace *copy_audit_ns(struct audit_namespace *audit)
+{
+ return get_audit_ns(audit);
+}
+#endif
diff --git a/include/linux/nsproxy.h b/include/linux/nsproxy.h
index b4ec59d..dc7af11 100644
--- a/include/linux/nsproxy.h
+++ b/include/linux/nsproxy.h
@@ -28,11 +28,12 @@ struct fs_struct;
*/
struct nsproxy {
atomic_t count;
- struct uts_namespace *uts_ns;
- struct ipc_namespace *ipc_ns;
- struct mnt_namespace *mnt_ns;
- struct pid_namespace *pid_ns_for_children;
- struct net *net_ns;
+ struct uts_namespace *uts_ns;
+ struct ipc_namespace *ipc_ns;
+ struct mnt_namespace *mnt_ns;
+ struct pid_namespace *pid_ns_for_children;
+ struct net *net_ns;
+ struct audit_namespace *audit_ns;
};
extern struct nsproxy init_nsproxy;
diff --git a/init/Kconfig b/init/Kconfig
index 3ecd8a1..05e3d2c 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1154,6 +1154,16 @@ config NET_NS
Allow user space to create what appear to be multiple instances
of the network stack.
+config AUDIT_NS
+ bool "Audit namespace"
+ depends on AUDIT
+ default n
+ help
+ Support audit namespace. This allows processes write audit message
+ to the audit namespace they belong to.
+
+ If unsure, say N.
+
endif # NAMESPACES
config UIDGID_STRICT_TYPE_CHECKS
diff --git a/kernel/Makefile b/kernel/Makefile
index 1ce4755..6e64333 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -71,7 +71,7 @@ obj-$(CONFIG_IKCONFIG) += configs.o
obj-$(CONFIG_RESOURCE_COUNTERS) += res_counter.o
obj-$(CONFIG_SMP) += stop_machine.o
obj-$(CONFIG_KPROBES_SANITY_TEST) += test_kprobes.o
-obj-$(CONFIG_AUDIT) += audit.o auditfilter.o
+obj-$(CONFIG_AUDIT) += audit.o auditfilter.o audit_namespace.o
obj-$(CONFIG_AUDITSYSCALL) += auditsc.o
obj-$(CONFIG_AUDIT_WATCH) += audit_watch.o
obj-$(CONFIG_AUDIT_TREE) += audit_tree.o
diff --git a/kernel/audit_namespace.c b/kernel/audit_namespace.c
new file mode 100644
index 0000000..6d9cb8f
--- /dev/null
+++ b/kernel/audit_namespace.c
@@ -0,0 +1,8 @@
+#include <linux/audit_namespace.h>
+#include <linux/export.h>
+
+struct audit_namespace init_audit_ns = {
+ .count = ATOMIC_INIT(1),
+ .user_ns = &init_user_ns,
+};
+EXPORT_SYMBOL_GPL(init_audit_ns);
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 8e78110..e8374aa 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -22,6 +22,7 @@
#include <linux/pid_namespace.h>
#include <net/net_namespace.h>
#include <linux/ipc_namespace.h>
+#include <linux/audit_namespace.h>
#include <linux/proc_ns.h>
#include <linux/file.h>
#include <linux/syscalls.h>
@@ -39,6 +40,9 @@ struct nsproxy init_nsproxy = {
#ifdef CONFIG_NET
.net_ns = &init_net,
#endif
+#ifdef CONFIG_AUDIT
+ .audit_ns = &init_audit_ns,
+#endif
};
static inline struct nsproxy *create_nsproxy(void)
@@ -98,8 +102,16 @@ static struct nsproxy *create_new_namespaces(unsigned long flags,
goto out_net;
}
- return new_nsp;
+ new_nsp->audit_ns = copy_audit_ns(tsk->nsproxy->audit_ns);
+ if (IS_ERR(new_nsp->audit_ns)) {
+ err = PTR_ERR(new_nsp->audit_ns);
+ goto out_audit;
+ }
+ return new_nsp;
+out_audit:
+ if (new_nsp->net_ns)
+ put_net(new_nsp->net_ns);
out_net:
if (new_nsp->pid_ns_for_children)
put_pid_ns(new_nsp->pid_ns_for_children);
@@ -165,6 +177,8 @@ void free_nsproxy(struct nsproxy *ns)
put_ipc_ns(ns->ipc_ns);
if (ns->pid_ns_for_children)
put_pid_ns(ns->pid_ns_for_children);
+ if (ns->audit_ns)
+ put_audit_ns(ns->audit_ns);
put_net(ns->net_ns);
kmem_cache_free(nsproxy_cachep, ns);
}
--
1.8.3.1
next prev parent reply other threads:[~2013-10-24 7:31 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-24 7:31 [RFC Part1 PATCH 00/20 v2] Add namespace support for audit Gao feng
2013-10-24 7:31 ` [PATCH 01/20] Audit: make audit netlink socket net namespace unaware Gao feng
[not found] ` <1382599925-25143-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-10-24 7:31 ` Gao feng [this message]
2013-10-24 7:31 ` [PATCH 03/20] audit: make audit_skb_queue per audit namespace Gao feng
2013-10-24 7:31 ` [PATCH 04/20] audit: make audit_skb_hold_queue " Gao feng
2013-10-24 7:31 ` [PATCH 06/20] audit: make kauditd_task " Gao feng
2013-10-24 7:31 ` [PATCH 08/20] audit: make kaudit_wait queue " Gao feng
2013-10-24 7:32 ` [PATCH 15/20] audit: Log audit pid config change in " Gao feng
2013-10-31 3:52 ` [RFC Part1 PATCH 00/20 v2] Add namespace support for audit Gao feng
[not found] ` <5271D3FC.8000709-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-11-05 7:51 ` Gao feng
[not found] ` <5278A39B.6000303-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-11-05 7:52 ` Gao feng
[not found] ` <5278A3D5.3010309-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-11-05 8:11 ` Li Zefan
[not found] ` <5278A828.50406-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2013-11-05 8:56 ` Gao feng
[not found] ` <5278B2D7.6060409-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-11-05 19:14 ` Richard Guy Briggs
[not found] ` <20131105191459.GF24236-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2013-11-07 5:51 ` Gao feng
2013-11-21 7:57 ` Gao feng
2013-12-06 21:31 ` Serge E. Hallyn
[not found] ` <20131206213135.GA22445-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-12-09 2:29 ` Gao feng
[not found] ` <52A52AFB.2020703-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-23 23:47 ` Richard Guy Briggs
[not found] ` <20131223234723.GA23101-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2013-12-24 9:53 ` Gao feng
2013-10-24 7:31 ` [PATCH 05/20] audit: make audit_pid per audit namespace Gao feng
2013-10-24 7:31 ` [PATCH 07/20] aduit: make audit_nlk_portid " Gao feng
2013-10-24 7:31 ` [PATCH 09/20] audit: make audit_backlog_wait " Gao feng
2013-10-24 7:31 ` [PATCH 10/20] audit: allow un-init audit ns to change pid and portid only Gao feng
2013-10-24 7:31 ` [PATCH 11/20] audit: use proper audit namespace in audit_receive_msg Gao feng
2013-10-24 7:31 ` [PATCH 12/20] audit: use proper audit_namespace in kauditd_thread Gao feng
2013-10-24 7:31 ` [PATCH 13/20] audit: introduce new audit logging interface for audit namespace Gao feng
2013-10-24 7:31 ` [PATCH 14/20] audit: pass proper audit namespace to audit_log_common_recv_msg Gao feng
2013-10-24 7:32 ` [PATCH 16/20] audit: allow GET, SET, USER MSG operations in audit namespace Gao feng
[not found] ` <1382599925-25143-17-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-06 22:00 ` Serge E. Hallyn
[not found] ` <20131206220033.GB22445-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-12-09 1:47 ` Gao feng
2013-10-24 7:32 ` [PATCH 17/20] nsproxy: don't make create_new_namespaces static Gao feng
2013-10-24 7:32 ` [PATCH 18/20] audit: add new message type AUDIT_CREATE_NS Gao feng
[not found] ` <1382599925-25143-19-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-06 22:10 ` Serge E. Hallyn
[not found] ` <20131206221014.GC22445-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-12-09 1:59 ` Gao feng
[not found] ` <52A52400.7060008-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-09 17:53 ` Serge Hallyn
2013-12-10 5:34 ` Gao feng
2013-10-24 7:32 ` [PATCH 19/20] audit: make audit_backlog_limit per audit namespace Gao feng
2013-10-24 7:32 ` [PATCH 20/20] audit: introduce /proc/<pid>/audit_backlog_limit Gao feng
2013-12-04 8:31 ` [RFC Part1 PATCH 00/20 v2] Add namespace support for audit Gao feng
[not found] ` <529EE877.7030701-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-06 22:12 ` Serge E. Hallyn
[not found] ` <20131206221241.GD22445-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-12-09 2:06 ` Gao feng
[not found] ` <52A52599.3070502-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-09 18:26 ` Serge Hallyn
2013-12-10 8:16 ` Gao feng
[not found] ` <52A6CDE1.8090404-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-10 16:51 ` Serge Hallyn
2013-12-10 19:50 ` Eric Paris
[not found] ` <1386705056.23829.13.camel-OjZBOOqb7SR7cYLChsl7DafLeoKvNuZc@public.gmane.org>
2013-12-10 20:36 ` Serge E. Hallyn
[not found] ` <20131210203648.GA5835-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-12-16 3:39 ` Gao feng
[not found] ` <52AE75D7.4020604-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-20 21:15 ` Serge E. Hallyn
[not found] ` <20131220211557.GA418-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-12-24 9:32 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1382599925-25143-3-git-send-email-gaofeng@cn.fujitsu.com \
--to=gaofeng-bthxqxjhjhxqfuhtdcdx3a@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=toshi.okajima-+CUm20s59erQFUHtdCDX3A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox