RFE: support audit container ID records #51
Comments
This was referenced Jun 6, 2018
|
Posted v3 patchset upstream: |
|
Posted v4 patchset upstream: |
fcicq
pushed a commit
to fcicq/chromiumos-third_party-kernel
that referenced
this issue
Jan 20, 2019
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce a record such as this: type=CONTAINER_ID msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes The "op" field indicates an initial set. The "pid" to "ses" fields are the orchestrator while the "opid" field is the object's PID, the process being "contained". Old and new audit container identifier values are given in the "contid" fields, while res indicates its success. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. See: linux-audit/audit-kernel#90 See: linux-audit/audit-userspace#51 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> (am from https://patchwork.kernel.org/patch/10551315/) BUG=chromium:918980 TEST=Build, boot and GCP internal testing. Changed the return value of the default audit_get_contid as the kuid_t is a 32-bit value where the other version is a u64 failing compilation on 32-bit kernels. Signed-off-by: Thomas Garnier <[email protected]> Change-Id: Iee61e96d015715f1dde24f92c230f14410cb5a79 Reviewed-on: https://chromium-review.googlesource.com/1379655 Reviewed-by: Dmitry Torokhov <[email protected]> Reviewed-by: Robert Kolchmeyer <[email protected]> Reviewed-by: Kees Cook <[email protected]>
|
Test case v1 PR: linux-audit/audit-testsuite#83 |
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
May 28, 2019
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
May 28, 2019
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
May 31, 2019
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
May 31, 2019
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
fcicq
pushed a commit
to fcicq/chromiumos-third_party-kernel
that referenced
this issue
Jun 26, 2019
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce a record such as this: type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes The "op" field indicates an initial set. The "pid" to "ses" fields are the orchestrator while the "opid" field is the object's PID, the process being "contained". New and old audit container identifier values are given in the "contid" fields, while res indicates its success. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]> (am from https://patchwork.kernel.org/patch/10890465/) BUG=b/131183634 TEST=Build, boot and GCP internal testing. To make this change work, a call to audit_get_tty had to be changed to include the target task. Signed-off-by: Thomas Garnier <[email protected]> Change-Id: I350a70b7ea6aedcd277621398632f31e26b091da Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1674488 Reviewed-by: Guenter Roeck <[email protected]> Commit-Queue: Thomas Garnier <[email protected]> Tested-by: Thomas Garnier <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 19, 2019
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 19, 2019
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 19, 2019
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 20, 2019
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 20, 2019
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 20, 2019
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 6, 2019
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 6, 2019
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 6, 2019
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 31, 2019
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 31, 2019
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 31, 2019
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 31, 2019
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
|
post v8 |
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 3, 2020
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce a record such as this: type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615 The "op" field indicates an initial set. The "opid" field is the object's PID, the process being "contained". New and old audit container identifier values are given in the "contid" fields. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]> Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 3, 2020
Create a new audit record AUDIT_CONTAINER_ID to document the audit container identifier of a process if it is present. Called from audit_log_exit(), syscalls are covered. A sample raw event: type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid" type=CWD msg=audit(1519924845.499:257): cwd="/root" type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964 type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458 Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Jun 26, 2020
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Jun 26, 2020
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Jun 26, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Jun 27, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jun 27, 2020
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce a record such as this: type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615 The "op" field indicates an initial set. The "opid" field is the object's PID, the process being "contained". New and old audit container identifier values are given in the "contid" fields. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. Store the audit container identifier in a refcounted kernel object that is added to the master list of audit container identifiers. This will allow multiple container orchestrators/engines to work on the same machine without danger of inadvertantly re-using an existing identifier. It will also allow an orchestrator to inject a process into an existing container by checking if the original container owner is the one injecting the task. A hash table list is used to optimize searches. Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jun 27, 2020
Create a new audit record AUDIT_CONTAINER_ID to document the audit container identifier of a process if it is present. Called from audit_log_exit(), syscalls are covered. Include target_cid references from ptrace and signal. A sample raw event: type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid" type=CWD msg=audit(1519924845.499:257): cwd="/root" type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964 type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458 Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 18, 2020
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 18, 2020
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 18, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Dec 22, 2020
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce a record such as this: time->Thu Nov 26 10:24:46 2020 type=PROCTITLE msg=audit(1606404286.956:174546): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374 type=SYSCALL msg=audit(1606404286.956:174546): arch=c000003e syscall=1 success=yes exit=19 a0=6 a1=557446a6a650 a2=13 a3=8 items=0 ppid=6827 pid=8724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CONTAINER_OP msg=audit(1606404286.956:174546): op=set opid=8771 contid=4112973747854606336 old-contid=-1 The "op" field indicates an initial set. The "opid" field is the object's PID, the process being "contained". New and old audit container identifier values are given in the "contid" fields. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. Store the audit container identifier in a refcounted kernel object that is added to the master list of audit container identifiers. This will allow multiple container orchestrators/engines to work on the same machine without danger of inadvertantly re-using an existing identifier. It will also allow an orchestrator to inject a process into an existing container by checking if the original container owner is the one injecting the task. A hash table list is used to optimize searches. audit: log drop of contid on exit of last task Since the life of each audit container indentifier is being tracked, we can match the creation event with the destruction event. Log the destruction of the audit container identifier when the last process in that container exits. Add support for reading the audit container identifier from the proc filesystem. This is a read from the proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the task whose audit container identifier is sought. The read expects up to a u64 value (unset: 18446744073709551615). This read requires CAP_AUDIT_CONTROL. Add an entry to Documentation/ABI for /proc/$pid/audit_containerid. Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Dec 22, 2020
Create a new audit record AUDIT_CONTAINER_ID to document the audit container identifier of a process if it is present. Called from audit_log_exit(), syscalls are covered. Include target_cid references from ptrace and signal. A sample raw event: time->Thu Nov 26 10:24:40 2020 type=PROCTITLE msg=audit(1606404280.226:174542): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374 type=PATH msg=audit(1606404280.226:174542): item=1 name="/tmp/audit-testsuite-dir-8riQ/testsuite-1606404267-WNldVJCr" inode=428 dev=00:1f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1606404280.226:174542): item=0 name="/tmp/audit-testsuite-dir-8riQ/" inode=427 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1606404280.226:174542): cwd="/root/rgb/git/audit-testsuite/tests" type=SYSCALL msg=audit(1606404280.226:174542): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=557446bd5f10 a2=80241 a3=1b6 items=2 ppid=8724 pid=8758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1606404267-WNldVJCr" record=1 type=CONTAINER_ID msg=audit(1606404280.226:174542): record=1 contid=527940429489930240 Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 12, 2021
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce an event such as this with the new CONTAINER_OP record: time->Thu Nov 26 10:24:27 2020 type=PROCTITLE msg=audit(1606404267.551:174524): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374 type=SYSCALL msg=audit(1606404267.551:174524): arch=c000003e syscall=1 success=yes exit=20 a0=6 a1=557446aa9180 a2=14 a3=100 items=0 ppid=6827 pid=8724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CONTAINER_OP msg=audit(1606404267.551:174524): op=set opid=8730 contid=4515122123205246976 old-contid=-1 The "op" field indicates an initial set. The "opid" field is the object's PID, the process being "contained". New and old audit container identifier values are given in the "contid" fields. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. Store the audit container identifier in a refcounted kernel object that is added to the master list of audit container identifiers. This will allow multiple container orchestrators/engines to work on the same machine without danger of inadvertantly re-using an existing identifier. It will also allow an orchestrator to inject a process into an existing container by checking if the original container owner is the one injecting the task. A hash table list is used to optimize searches. Since the life of each audit container indentifier is being tracked, we match the creation event with the destruction event. Log the drop of the audit container identifier when the last process in that container exits. Add support for reading the audit container identifier from the proc filesystem. This is a read from the proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the task whose audit container identifier is sought. The read expects up to a u64 value (unset: (u64)-1). This read requires CAP_AUDIT_CONTROL. Add an entry to Documentation/ABI for /proc/$pid/audit_containerid. Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 12, 2021
Create a new audit record AUDIT_CONTAINER_ID to document the audit container identifier of a process if it is present. Called from audit_log_exit(), syscalls are covered. Include target_cid references from ptrace and signal. A sample raw event: time->Thu Nov 26 10:24:40 2020 type=PROCTITLE msg=audit(1606404280.226:174542): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374 type=PATH msg=audit(1606404280.226:174542): item=1 name="/tmp/audit-testsuite-dir-8riQ/testsuite-1606404267-WNldVJCr" inode=428 dev=00:1f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1606404280.226:174542): item=0 name="/tmp/audit-testsuite-dir-8riQ/" inode=427 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1606404280.226:174542): cwd="/root/rgb/git/audit-testsuite/tests" type=SYSCALL msg=audit(1606404280.226:174542): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=557446bd5f10 a2=80241 a3=1b6 items=2 ppid=8724 pid=8758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1606404267-WNldVJCr" record=1 type=CONTAINER_ID msg=audit(1606404280.226:174542): record=1 contid=527940429489930240 Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
|
Closing this out. A tracker for this is not needed. When a patch is available, just do a pull request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add userspace audit tool support for the features introduced by kernel audit container ID support.
See: linux-audit/audit-kernel#90
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
The text was updated successfully, but these errors were encountered: