From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <pmoore@redhat.com>
Subject: Re: [PATCH] audit: add nspid and nsppid in audit_log_task_info
Date: Wed, 03 Dec 2014 18:39:31 -0500
Message-ID: <3578272.jPN86LA6WI@sifl>
References: <CAP19V6oG+qhcqiYzP3Dk=ioBr7dLeLbzNxQ42hdoPAafitoRag@mail.gmail.com>
	<1416754728.3116.22.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1416754728.3116.22.camel@localhost>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Mark Ellzey <socket@gmail.com>
Cc: rgb@redhat.com, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Sunday, November 23, 2014 09:58:48 AM Eric Paris wrote:
> [forwarding to 2 people looking at audit now, do you mind resending to
> linux-audit@redhat.com and inluding them both?]

I'm also adding the linux-audit list to the CC line.

I know Richard has been working on namespaces/audit, I'd like to hear his 
comments on this patch.

> On Sat, 2014-11-22 at 13:53 -0500, Mark Ellzey wrote:
> > If the current task being sent to audit_log_task_info() is not within
> > the root namespace, add two new fields "nspid=X nsppid=Y".
> > 
> > This allows a user to map the real pid/ppid to a namespaced pid/ppid.
> > ---
> > 
> >  kernel/audit.c | 12 ++++++++++++
> >  1 file changed, 12 insertions(+)
> > 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index cebb11d..5439f66 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1853,6 +1853,7 @@ void audit_log_task_info(struct audit_buffer
> > *ab, struct task_struct *tsk)
> > 
> >   char comm[sizeof(tsk->comm)];
> >   struct mm_struct *mm = tsk->mm;
> >   char *tty;
> > 
> > + struct pid_namespace * pns;
> > 
> >   if (!ab)
> >   return;
> > 
> > @@ -1865,8 +1866,19 @@ void audit_log_task_info(struct audit_buffer
> > *ab, struct task_struct *tsk)
> > 
> >   tty = tsk->signal->tty->name;
> >   else
> >   tty = "(none)";
> > 
> > +
> > 
> >   spin_unlock_irq(&tsk->sighand->siglock);
> > 
> > + if ((pns = task_active_pid_ns(tsk)) != &init_pid_ns) {
> > +    pid_t nsppid = 0;
> > +    pid_t nspid  = 0;
> > +
> > +    nsppid = task_ppid_nr_ns(tsk, pns);
> > +    nspid  = task_pid_nr_ns(tsk, pns);
> > +
> > +    audit_log_format(ab, " nsppid=%d nspid=%d", nsppid, nspid);
> > + }
> > +
> > 
> >   audit_log_format(ab,
> >   " ppid=%d pid=%d auid=%u uid=%u gid=%u"
> >   " euid=%u suid=%u fsuid=%u"
> > 
> > --
> > 1.9.1

-- 
paul moore
security and virtualization @ redhat