Add container ID support to ptrace and signals. In particular, the "op" field provides a way to label the auxiliary record to which it is associated.
Signed-off-by: Richard Guy Briggs <r...@redhat.com> --- include/linux/audit.h | 16 +++++++++++----- kernel/audit.c | 12 ++++++++---- kernel/audit.h | 2 ++ kernel/auditsc.c | 19 +++++++++++++++---- 4 files changed, 36 insertions(+), 13 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index f10ca1b..ed16bb6 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -35,6 +35,7 @@ struct audit_sig_info { uid_t uid; pid_t pid; char ctx[0]; + u64 cid; }; struct audit_buffer; @@ -155,8 +156,8 @@ extern void audit_log_link_denied(const char *operation, extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk); -extern int audit_log_container_info(struct task_struct *tsk, - struct audit_context *context); +extern int audit_log_container_info(struct audit_context *context, + char *op, u64 containerid); extern int audit_update_lsm_rules(void); @@ -208,8 +209,8 @@ static inline int audit_log_task_context(struct audit_buffer *ab) static inline void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk) { } -static inline int audit_log_container_info(struct task_struct *tsk, - struct audit_context *context); +static inline int audit_log_container_info(struct audit_context *context, + char *op, u64 containerid); { } #define audit_enabled 0 #endif /* CONFIG_AUDIT */ @@ -598,9 +599,14 @@ static inline bool audit_loginuid_set(struct task_struct *tsk) return uid_valid(audit_get_loginuid(tsk)); } +static inline bool cid_valid(u64 containerid) +{ + return containerid != INVALID_CID; +} + static inline bool audit_containerid_set(struct task_struct *tsk) { - return audit_get_containerid(tsk) != INVALID_CID; + return cid_valid(audit_get_containerid(tsk)); } static inline void audit_log_string(struct audit_buffer *ab, const char *buf) diff --git a/kernel/audit.c b/kernel/audit.c index 8dc745f..f5cd0bc 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -142,6 +142,7 @@ struct audit_net { kuid_t audit_sig_uid = INVALID_UID; pid_t audit_sig_pid = -1; u32 audit_sig_sid = 0; +u64 audit_sig_cid = INVALID_CID; /* Records can be lost in several ways: 0) [suppressed in audit_alloc] @@ -1394,6 +1395,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) memcpy(sig_data->ctx, ctx, len); security_release_secctx(ctx, len); } + sig_data->cid = audit_sig_cid; audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); kfree(sig_data); @@ -1998,20 +2000,22 @@ void audit_log_session_info(struct audit_buffer *ab) /* * audit_log_container_info - report container info - * @tsk: task to be recorded * @context: task or local context for record + * @op: containerid string description + * @containerid: container ID to report */ -int audit_log_container_info(struct task_struct *tsk, struct audit_context *context) +int audit_log_container_info(struct audit_context *context, + char *op, u64 containerid) { struct audit_buffer *ab; - if (!audit_containerid_set(tsk)) + if (!cid_valid(containerid)) return 0; /* Generate AUDIT_CONTAINER_INFO with container ID */ ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER_INFO); if (!ab) return -ENOMEM; - audit_log_format(ab, "contid=%llu", audit_get_containerid(tsk)); + audit_log_format(ab, "op=%s contid=%llu", op, containerid); audit_log_end(ab); return 0; } diff --git a/kernel/audit.h b/kernel/audit.h index 683316a..abbabba 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -147,6 +147,7 @@ struct audit_context { kuid_t target_uid; unsigned int target_sessionid; u32 target_sid; + u64 target_cid; char target_comm[TASK_COMM_LEN]; struct audit_tree_refs *trees, *first_trees; @@ -330,6 +331,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, extern pid_t audit_sig_pid; extern kuid_t audit_sig_uid; extern u32 audit_sig_sid; +extern u64 audit_sig_cid; extern int audit_filter(int msgtype, unsigned int listtype); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 34396cb..0e41884 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -113,6 +113,7 @@ struct audit_aux_data_pids { kuid_t target_uid[AUDIT_AUX_PIDS]; unsigned int target_sessionid[AUDIT_AUX_PIDS]; u32 target_sid[AUDIT_AUX_PIDS]; + u64 target_cid[AUDIT_AUX_PIDS]; char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN]; int pid_count; }; @@ -1422,21 +1423,27 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts for (aux = context->aux_pids; aux; aux = aux->next) { struct audit_aux_data_pids *axs = (void *)aux; - for (i = 0; i < axs->pid_count; i++) + for (i = 0; i < axs->pid_count; i++) { + char axsn[sizeof("aux0xN ")]; + + sprintf(axsn, "aux0x%x", i); if (audit_log_pid_context(context, axs->target_pid[i], axs->target_auid[i], axs->target_uid[i], axs->target_sessionid[i], axs->target_sid[i], - axs->target_comm[i])) + axs->target_comm[i]) + && audit_log_container_info(context, axsn, axs->target_cid[i])) call_panic = 1; + } } if (context->target_pid && audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - context->target_sid, context->target_comm)) + context->target_sid, context->target_comm) + && audit_log_container_info(context, "target", context->target_cid)) call_panic = 1; if (context->pwd.dentry && context->pwd.mnt) { @@ -1456,7 +1463,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts audit_log_proctitle(tsk, context); - audit_log_container_info(tsk, context); + audit_log_container_info(context, "task", audit_get_containerid(tsk)); /* Send end of event record to help user space know we are finished */ ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); @@ -2354,6 +2361,7 @@ void __audit_ptrace(struct task_struct *t) context->target_uid = task_uid(t); context->target_sessionid = audit_get_sessionid(t); security_task_getsecid(t, &context->target_sid); + context->target_cid = audit_get_containerid(t); memcpy(context->target_comm, t->comm, TASK_COMM_LEN); } @@ -2381,6 +2389,7 @@ int audit_signal_info(int sig, struct task_struct *t) else audit_sig_uid = uid; security_task_getsecid(tsk, &audit_sig_sid); + audit_sig_cid = audit_get_containerid(tsk); } if (!audit_signals || audit_dummy_context()) @@ -2394,6 +2403,7 @@ int audit_signal_info(int sig, struct task_struct *t) ctx->target_uid = t_uid; ctx->target_sessionid = audit_get_sessionid(t); security_task_getsecid(t, &ctx->target_sid); + ctx->target_cid = audit_get_containerid(t); memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN); return 0; } @@ -2415,6 +2425,7 @@ int audit_signal_info(int sig, struct task_struct *t) axp->target_uid[axp->pid_count] = t_uid; axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t); security_task_getsecid(t, &axp->target_sid[axp->pid_count]); + axp->target_cid[axp->pid_count] = audit_get_containerid(t); memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN); axp->pid_count++; -- 1.8.3.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit