From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44718 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932305AbeCDV4J (ORCPT ); Sun, 4 Mar 2018 16:56:09 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w24LsI95006762 for ; Sun, 4 Mar 2018 16:56:09 -0500 Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106]) by mx0a-001b2d01.pphosted.com with ESMTP id 2gg9kfp01v-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Sun, 04 Mar 2018 16:56:08 -0500 Received: from localhost by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 4 Mar 2018 21:56:06 -0000 Subject: Re: [RFC PATCH V1 00/12] audit: implement container id From: Mimi Zohar To: Richard Guy Briggs , cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org Cc: mszeredi@redhat.com, ebiederm@xmission.com, simo@redhat.com, jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com, viro@zeniv.linux.org.uk, luto@kernel.org, eparis@parisplace.org, trondmy@primarydata.com, serge@hallyn.com Date: Sun, 04 Mar 2018 16:55:57 -0500 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Message-Id: <1520200557.10396.257.camel@linux.vnet.ibm.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote: > Implement audit kernel container ID. > > This patchset is a preliminary RFC based on the proposal document (V3) > posted: > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html > > The first patch implements the proc fs write to set the audit container > ID of a process, emitting an AUDIT_CONTAINER record. > > The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO > if a container ID is present on a task. > > The third adds filtering to the exit, exclude and user lists. > > The 4th, implements reading the container ID from the proc filesystem > for debugging. This isn't planned for upstream inclusion. > > The 5th adds signal and ptrace support. > > The 6th attempts to create a local audit context to be able to bind a > standalone record with the container ID record. > > The 7th, 8th, 9th, 10th patches add container ID records to standalone > records. Some of these may end up being syscall auxiliary records and > won't need this specific support since they'll be supported via > syscalls. > > The 11th is a temporary workaround due to the AUDIT_CONTAINER records > not showing up as do AUDIT_LOGIN records. I suspect this is due to its > range (1000 vs 1300), but the intent is to solve it. > > The 12th adds debug information not intended for upstream for those > brave souls wanting to tinker with it in this early state. > > Feedback please! Which tree can this patch set be applied to? Mimi > Here's a quick and dirty test script: > echo 123455 > /proc/$$/containerid; echo $? > sleep 4& > child=$!; sleep 1 > echo 18446744073709551615 > /proc/$child/containerid; echo $? > echo 123456 > /proc/$child/containerid; echo $? > echo 123457 > /proc/$child/containerid; echo $? > sleep 1 > ausearch -ts recent |grep " contid=18446744073709551615"; echo $? > ausearch -ts recent |grep " contid=123456"; echo $? > ausearch -ts recent |grep " contid=123457"; echo $? > echo self:$$ contid:$( cat /proc/$$/containerid) > echo child:$child contid:$( cat /proc/$child/containerid) > > containerid=123458 > key=tmpcontainerid > auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule > bash -c "sleep 1; echo test > /tmp/$key"& > child=$! > echo $containerid > /proc/$child/containerid > sleep 2 > rm -f /tmp/$key > ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record > auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule > > See: > https://github.com/linux-audit/audit-kernel/issues/32 > https://github.com/linux-audit/audit-userspace/issues/40 > https://github.com/linux-audit/audit-testsuite/issues/64 > > Richard Guy Briggs (12): > audit: add container id > audit: log container info of syscalls > audit: add containerid filtering > audit: read container ID of a process > audit: add containerid support for ptrace and signals > audit: add support for non-syscall auxiliary records > audit: add container aux record to watch/tree/mark > audit: add containerid support for tty_audit > audit: add containerid support for config/feature/user records > audit: add containerid support for seccomp and anom_abend records > debug audit: add container id > debug! audit: add container id > > drivers/tty/tty_audit.c | 5 +- > fs/proc/base.c | 63 +++++++++++++++++++ > include/linux/audit.h | 36 +++++++++++ > include/linux/init_task.h | 4 +- > include/linux/sched.h | 1 + > include/uapi/linux/audit.h | 9 ++- > kernel/audit.c | 74 +++++++++++++++++++--- > kernel/audit.h | 3 + > kernel/audit_fsnotify.c | 5 +- > kernel/audit_tree.c | 5 +- > kernel/audit_watch.c | 33 +++++----- > kernel/auditfilter.c | 52 ++++++++++++++- > kernel/auditsc.c | 154 +++++++++++++++++++++++++++++++++++++++++++-- > 13 files changed, 408 insertions(+), 36 deletions(-) >