From: Richard Guy Briggs <rgb@redhat.com>
To: containers@lists.linux-foundation.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Cc: eparis@parisplace.org, Steve Grubb <sgrubb@redhat.com>,
omosnace@redhat.com, Paul Moore <paul@paul-moore.com>,
nhorman@redhat.com, dwalsh@redhat.com, mpatel@redhat.com,
Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghau51/ghau40 v7 11/12] loginuid/sessionid: switch from /proc to netlink
Date: Wed, 18 Sep 2019 21:27:51 -0400 [thread overview]
Message-ID: <1568856472-10173-12-git-send-email-rgb@redhat.com> (raw)
In-Reply-To: <1568856472-10173-1-git-send-email-rgb@redhat.com>
Add the ability to get and set the login uid and to get the session
id using an audit netlink message using message types AUDIT_GET_LOGINUID
1024, AUDIT_SET_LOGINUID 1025 and AUDIT_GET_SESSIONID 1026 in addition
to using the proc filesystem.
This switches over the audit_setloginuid(), audit_getloginuid() and
audit_get_session() functions to use the new audit netlink message
method if it exists rather than the /proc method.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
lib/libaudit.c | 176 ++++++++++++++++++++++++++++++++++--------------------
lib/libaudit.h | 12 ++++
lib/msg_typetab.h | 3 +
3 files changed, 127 insertions(+), 64 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index fdba6301e7f0..62e1a2a64ee5 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -890,27 +890,42 @@ int audit_make_equivalent(int fd, const char *mount_point,
*/
uid_t audit_getloginuid(void)
{
- uid_t uid;
- int len, in;
- char buf[16];
+ if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+ uid_t uid;
+ int len, in;
+ char buf[16];
+
+ errno = 0;
+ in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY);
+ if (in < 0)
+ return -1;
+ do {
+ len = read(in, buf, sizeof(buf));
+ } while (len < 0 && errno == EINTR);
+ close(in);
+ if (len < 0 || len >= sizeof(buf))
+ return -1;
+ buf[len] = 0;
+ errno = 0;
+ uid = strtol(buf, 0, 10);
+ if (errno)
+ return -1;
+ else
+ return uid;
+ } else {
+ int rc;
+ int seq;
+ int fd = audit_open();
- errno = 0;
- in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY);
- if (in < 0)
- return -1;
- do {
- len = read(in, buf, sizeof(buf));
- } while (len < 0 && errno == EINTR);
- close(in);
- if (len < 0 || len >= sizeof(buf))
- return -1;
- buf[len] = 0;
- errno = 0;
- uid = strtol(buf, 0, 10);
- if (errno)
- return -1;
- else
- return uid;
+ if (fd < 0) {
+ audit_msg(audit_priority(errno), "Error openning get loginuid req (%s)", strerror(-rc));
+ return -2;
+ }
+ rc = __audit_send(fd, AUDIT_GET_LOGINUID, NULL, 0, &seq);
+ if (rc < 0)
+ audit_msg(audit_priority(errno), "Error sending get loginuid request (%s)", strerror(-rc));
+ return rc;
+ }
}
/*
@@ -918,34 +933,52 @@ uid_t audit_getloginuid(void)
*/
int audit_setloginuid(uid_t uid)
{
- char loginuid[16];
- int o, count, rc = 0;
-
- errno = 0;
- count = snprintf(loginuid, sizeof(loginuid), "%u", uid);
- o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
- if (o >= 0) {
- int block, offset = 0;
-
- while (count > 0) {
- block = write(o, &loginuid[offset], (unsigned)count);
-
- if (block < 0) {
- if (errno == EINTR)
- continue;
- audit_msg(LOG_ERR, "Error writing loginuid");
- close(o);
- return 1;
+ if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+ char loginuid[16];
+ int o, count, rc = 0;
+
+ errno = 0;
+ count = snprintf(loginuid, sizeof(loginuid), "%u", uid);
+ o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
+ if (o >= 0) {
+ int block, offset = 0;
+
+ while (count > 0) {
+ block = write(o, &loginuid[offset], (unsigned)count);
+
+ if (block < 0) {
+ if (errno == EINTR)
+ continue;
+ audit_msg(LOG_ERR, "Error writing loginuid");
+ close(o);
+ return 1;
+ }
+ offset += block;
+ count -= block;
}
- offset += block;
- count -= block;
+ close(o);
+ } else {
+ audit_msg(LOG_ERR, "Error opening /proc/self/loginuid");
+ rc = 1;
}
- close(o);
+ return rc;
} else {
- audit_msg(LOG_ERR, "Error opening /proc/self/loginuid");
- rc = 1;
+ int rc;
+ int seq;
+ int fd = audit_open();
+ struct audit_loginuid_status { uid_t uid; } ls = { uid };
+
+ if (fd < 0) {
+ audit_msg(audit_priority(errno), "Error openning set loginuid req (%s)", strerror(-rc));
+ return 1;
+ }
+ rc = audit_send(fd, AUDIT_SET_LOGINUID, &ls, sizeof(ls));
+ if (rc < 0) {
+ audit_msg(audit_priority(errno), "Error sending set loginuid request (%s)", strerror(-rc));
+ return 1;
+ }
+ return 0;
}
- return rc;
}
/*
@@ -954,27 +987,42 @@ int audit_setloginuid(uid_t uid)
*/
uint32_t audit_get_session(void)
{
- uint32_t ses;
- int len, in;
- char buf[16];
+ if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+ uint32_t ses;
+ int len, in;
+ char buf[16];
- errno = 0;
- in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY);
- if (in < 0)
- return -2;
- do {
- len = read(in, buf, sizeof(buf));
- } while (len < 0 && errno == EINTR);
- close(in);
- if (len < 0 || len >= sizeof(buf))
- return -2;
- buf[len] = 0;
- errno = 0;
- ses = strtoul(buf, 0, 10);
- if (errno)
- return -2;
- else
- return ses;
+ errno = 0;
+ in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY);
+ if (in < 0)
+ return -2;
+ do {
+ len = read(in, buf, sizeof(buf));
+ } while (len < 0 && errno == EINTR);
+ close(in);
+ if (len < 0 || len >= sizeof(buf))
+ return -2;
+ buf[len] = 0;
+ errno = 0;
+ ses = strtoul(buf, 0, 10);
+ if (errno)
+ return -2;
+ else
+ return ses;
+ } else {
+ int rc;
+ int seq;
+ int fd = audit_open();
+
+ if (fd < 0) {
+ audit_msg(audit_priority(errno), "Error openning set contid req (%s)", strerror(-rc));
+ return -2;
+ }
+ rc = __audit_send(fd, AUDIT_GET_SESSIONID, NULL, 0, &seq);
+ if (rc < 0)
+ audit_msg(audit_priority(errno), "Error sending get session request (%s)", strerror(-rc));
+ return rc;
+ }
}
/*
diff --git a/lib/libaudit.h b/lib/libaudit.h
index af58ef563987..717724e8fbbb 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -263,6 +263,18 @@ extern "C" {
#define AUDIT_SET_CONTID 1023 /* set contid of specified pid */
#endif
+#ifndef AUDIT_GET_LOGINUID
+#define AUDIT_GET_LOGINUID 1024 /* get current process loginuid */
+#endif
+
+#ifndef AUDIT_SET_LOGINUID
+#define AUDIT_SET_LOGINUID 1025 /* get current process loginuid */
+#endif
+
+#ifndef AUDIT_GET_SESSIONID
+#define AUDIT_GET_SESSIONID 1026 /* get current process sessionid */
+#endif
+
#ifndef AUDIT_MMAP
#define AUDIT_MMAP 1323 /* Descriptor and flags in mmap */
#endif
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index e37070cd82e2..9f2b137dc7f8 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -47,6 +47,9 @@ _S(AUDIT_LOGIN, "LOGIN" )
//_S(AUDIT_SIGNAL_INFO2, "SIGNAL_INFO2" )
//_S(AUDIT_GET_CONTID, "GET_CONTID" )
//_S(AUDIT_SET_CONTID, "SET_CONTID" )
+//_S(AUDIT_GET_LOGINUID, "GET_LOGINUID" )
+//_S(AUDIT_SET_LOGINUID, "SET_LOGINUID" )
+//_S(AUDIT_GET_SESSIONID, "GET_SESSIONID" )
_S(AUDIT_CONTAINER_OP, "CONTAINER_OP" )
_S(AUDIT_USER_AUTH, "USER_AUTH" )
_S(AUDIT_USER_ACCT, "USER_ACCT" )
--
1.8.3.1
next prev parent reply other threads:[~2019-09-19 1:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-19 1:27 [PATCH ghau51/ghau40 v7 00/12] add support for audit container identifier Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 01/12] AUDIT_CONTAINER_OP message type basic support Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 02/12] AUDIT_CONTAINER_ID " Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 03/12] auditctl: add support for AUDIT_CONTID filter Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 04/12] add ausearch containerid support Richard Guy Briggs
2019-09-20 16:12 ` Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 05/12] start normalization " Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 06/12] libaudit: add support to get the task audit container identifier Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 07/12] signal_info: only print context if it is available Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 08/12] add support for audit_signal_info2 Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 09/12] contid: interpret correctly CONTAINER_ID contid field csv Richard Guy Briggs
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 10/12] contid: switch from /proc to netlink Richard Guy Briggs
2019-09-19 1:27 ` Richard Guy Briggs [this message]
2019-09-19 1:27 ` [PATCH ghau51/ghau40 v7 12/12] libaudit: add support to get and set capcontid on a task Richard Guy Briggs
2019-09-19 18:09 ` [PATCH ghau51/ghau40 v7 00/12] add support for audit container identifier Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1568856472-10173-12-git-send-email-rgb@redhat.com \
--to=rgb@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatel@redhat.com \
--cc=nhorman@redhat.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox