From: Eric Paris <eparis@redhat.com>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Stephan Mueller <stephan.mueller@atsec.com>,
linux-audit@redhat.com
Subject: Re: [PATCH][RFC] audit: log namespace inode numbers
Date: Mon, 13 Jan 2014 22:08:53 -0500 [thread overview]
Message-ID: <1389668933.19888.1.camel@localhost> (raw)
In-Reply-To: <CAFftDdoU01NZ3pJbZ9ULFPAQ+mkJYNo3fEti6phmDqTsji+=Zg@mail.gmail.com>
Somehow I managed to lose this patch, but a couple of comments.
Didn't Aris do this back at least as far back as March. Might want to
ask for his work.
audit_log_context() logs the LSM portion of a process. I don't believe
this should be added to that function.
What happens if namespaces are compiled out?
There's got to be more....
On Sat, 2013-12-21 at 04:01 -0500, William Roberts wrote:
> I'm doing work now involving namespaces....the necessity is real.
> I'll take a look early next week.
>
> On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" <rgb@redhat.com> wrote:
> Log the namespace details of a task.
> ---
>
> Does anyone have comments on this patch?
>
> I'm looking for guidance on which types of messages should
> have namespace
> information included. I've included too many, I suspect.
>
> I also wonder if displaying these inode numbers in hexadecimal
> makes more sense
> than decimal, since they are all based around 0xF0000000.
> These are all with
> reference to the proc filesystem, so a device number should
> not be necessary to
> qualify them.
>
>
> include/linux/audit.h | 1 +
> kernel/audit.c | 29 +++++++++++++++++++++++++++++
> kernel/audit_watch.c | 1 +
> kernel/auditfilter.c | 1 +
> kernel/auditsc.c | 5 +++++
> 5 files changed, 37 insertions(+), 0 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 6976219..75fa602 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
> struct filename;
>
> extern void audit_log_session_info(struct audit_buffer *ab);
> +extern void audit_log_namespace_info(struct audit_buffer *ab,
> struct task_struct *tsk);
>
> #ifdef CONFIG_AUDITSYSCALL
> /* These are defined in auditsc.c */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index dc03a30..b4c39a9 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -62,7 +62,15 @@
> #endif
> #include <linux/freezer.h>
> #include <linux/tty.h>
> +#include <linux/nsproxy.h>
> +#include <linux/utsname.h>
> +#include <linux/ipc_namespace.h>
> +#include "../fs/mount.h"
> +#include <linux/mount.h>
> +#include <linux/mnt_namespace.h>
> #include <linux/pid_namespace.h>
> +#include <net/net_namespace.h>
> +#include <linux/user_namespace.h>
> #include <net/netns/generic.h>
>
> #include "audit.h"
> @@ -292,6 +300,7 @@ static int audit_log_config_change(char
> *function_name, int new, int old,
> return rc;
> audit_log_format(ab, "%s=%d old=%d", function_name,
> new, old);
> audit_log_session_info(ab);
> + audit_log_namespace_info(ab, current);
> rc = audit_log_task_context(ab);
> if (rc)
> allow_changes = 0; /* Something weird, deny
> request */
> @@ -657,6 +666,7 @@ static int
> audit_log_common_recv_msg(struct audit_buffer **ab, u16
> msg_type)
> return rc;
> audit_log_format(*ab, "pid=%d uid=%u",
> task_tgid_vnr(current), uid);
> audit_log_session_info(*ab);
> + audit_log_namespace_info(*ab, current);
> audit_log_task_context(*ab);
>
> return rc;
> @@ -689,6 +699,7 @@ static void audit_log_feature_change(int
> which, u32 old_feature, u32 new_feature
> return;
>
> ab = audit_log_start(NULL, GFP_KERNEL,
> AUDIT_FEATURE_CHANGE);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, "feature=%s old=%d new=%d
> old_lock=%d new_lock=%d res=%d",
> audit_feature_names[which], !!
> old_feature, !!new_feature,
> !!old_lock, !!new_lock, res);
> @@ -1621,6 +1632,23 @@ void audit_log_session_info(struct
> audit_buffer *ab)
> audit_log_format(ab, " auid=%u ses=%u", auid,
> sessionid);
> }
>
> +void audit_log_namespace_info(struct audit_buffer *ab, struct
> task_struct *tsk)
> +{
> + struct nsproxy *nsproxy;
> +
> + rcu_read_lock();
> + audit_log_format(ab, " pidns=%x",
> task_active_pid_ns(tsk)->proc_inum);
> + nsproxy = task_nsproxy(tsk);
> + if (nsproxy != NULL) {
> + audit_log_format(ab, " usrns=%x",
> nsproxy->net_ns->user_ns->proc_inum);
> + audit_log_format(ab, " utsns=%x",
> nsproxy->uts_ns->proc_inum);
> + audit_log_format(ab, " ipcns=%x",
> nsproxy->ipc_ns->proc_inum);
> + audit_log_format(ab, " mntns=%x",
> nsproxy->mnt_ns->proc_inum);
> + audit_log_format(ab, " netns=%x",
> nsproxy->net_ns->proc_inum);
> + }
> + rcu_read_unlock();
> +}
> +
> void audit_log_key(struct audit_buffer *ab, char *key)
> {
> audit_log_format(ab, " key=");
> @@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char
> *operation, struct path *link)
> goto out;
> audit_log_format(ab, "op=%s", operation);
> audit_log_task_info(ab, current);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " res=0");
> audit_log_end(ab);
>
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index 22831c4..2382a3e 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -245,6 +245,7 @@ static void
> audit_watch_log_rule_change(struct audit_krule *r, struct
> audit_watc
> audit_log_format(ab, "auid=%u ses=%u op=",
> from_kuid(&init_user_ns,
> audit_get_loginuid(current)),
>
> audit_get_sessionid(current));
> + audit_log_namespace_info(ab, current);
> audit_log_string(ab, op);
> audit_log_format(ab, " path=");
> audit_log_untrustedstring(ab, w->path);
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 14a78cc..9c4b004 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char
> *action, struct audit_krule *rule, int re
> if (!ab)
> return;
> audit_log_format(ab, "auid=%u ses=%u" ,loginuid,
> sessionid);
> + audit_log_namespace_info(ab, current);
> audit_log_task_context(ab);
> audit_log_format(ab, " op=");
> audit_log_string(ab, action);
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 10176cd..3c73a3b 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -974,6 +974,7 @@ static int audit_log_pid_context(struct
> audit_context *context, pid_t pid,
> audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%
> d", pid,
> from_kuid(&init_user_ns, auid),
> from_kuid(&init_user_ns, uid),
> sessionid);
> + audit_log_namespace_info(ab, current);
> if (sid) {
> if (security_secid_to_secctx(sid, &ctx, &len))
> {
> audit_log_format(ab, " obj=(none)");
> @@ -1302,6 +1303,7 @@ static void audit_log_exit(struct
> audit_context *context, struct task_struct *ts
> context->name_count);
>
> audit_log_task_info(ab, tsk);
> + audit_log_namespace_info(ab, current);
> audit_log_key(ab, context->filterkey);
> audit_log_end(ab);
>
> @@ -1987,6 +1989,7 @@ static void
> audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> current->pid, uid,
> oldloginuid, loginuid, oldsessionid,
> sessionid,
> !rc);
> + audit_log_namespace_info(ab, current);
> audit_log_end(ab);
> }
>
> @@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
> if (unlikely(!ab))
> return;
> audit_log_task(ab);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " sig=%ld", signr);
> audit_log_end(ab);
> }
> @@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long
> syscall, long signr, int code)
> if (unlikely(!ab))
> return;
> audit_log_task(ab);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " sig=%ld", signr);
> audit_log_format(ab, " syscall=%ld", syscall);
> audit_log_format(ab, " compat=%d", is_compat_task());
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2014-01-14 3:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-21 3:32 [PATCH][RFC] audit: log namespace inode numbers Richard Guy Briggs
2013-12-21 9:01 ` William Roberts
2014-01-14 3:08 ` Eric Paris [this message]
2014-01-14 18:59 ` Richard Guy Briggs
2014-01-07 6:07 ` Stephan Mueller
2014-01-07 17:43 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1389668933.19888.1.camel@localhost \
--to=eparis@redhat.com \
--cc=bill.c.roberts@gmail.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
--cc=stephan.mueller@atsec.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox