Re: [PATCH] audit: do not panic on invalid boot parameter
On 2018-03-05 15:05, Greg Edwards wrote:
> If you pass in an invalid audit boot parameter value, e.g. "audit=off",
> the kernel panics very early in boot before the regular console is
> initialized. Unless you have earlyprintk enabled, there is no
> indication of what the problem is on the console.
>
> Convert the panic() calls to pr_err(), and leave auditing enabled if an
> invalid parameter value was passed in.
>
> Modify the parameter to also accept "on" or "off" as valid values, and
> update the documentation accordingly.
>
> Signed-off-by: Greg Edwards
> ---
> Changes v2 -> v3:
> - convert panic() calls to pr_err()
> - add handling of "on"/"off" as valid values
> - update documentation
>
> Changes v1 -> v2:
> - default to auditing enabled for the error case
>
> Documentation/admin-guide/kernel-parameters.txt | 14 +++---
> kernel/audit.c | 21 ++---
> 2 files changed, 21 insertions(+), 14 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt
> b/Documentation/admin-guide/kernel-parameters.txt
> index 1d1d53f85ddd..0b926779315c 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -389,15 +389,15 @@
> Use software keyboard repeat
>
> audit= [KNL] Enable the audit sub-system
> - Format: { "0" | "1" } (0 = disabled, 1 = enabled)
> - 0 - kernel audit is disabled and can not be enabled
> - until the next reboot
> + Format: { "0" | "1" | "off" | "on" }
> + 0 | off - kernel audit is disabled and can not be
> + enabled until the next reboot
> unset - kernel audit is initialized but disabled and
> will be fully enabled by the userspace auditd.
> - 1 - kernel audit is initialized and partially enabled,
> - storing at most audit_backlog_limit messages in
> - RAM until it is fully enabled by the userspace
> - auditd.
> + 1 | on - kernel audit is initialized and partially
> + enabled, storing at most audit_backlog_limit
> + messages in RAM until it is fully enabled by the
> + userspace auditd.
> Default: unset
>
> audit_backlog_limit= [KNL] Set the audit queue size limit.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 227db99b0f19..8fccea5ded71 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1567,19 +1567,26 @@ static int __init audit_init(void)
> }
> postcore_initcall(audit_init);
>
> -/* Process kernel command-line parameter at boot time. audit=0 or audit=1.
> */
> +/*
> + * Process kernel command-line parameter at boot time.
> + * audit={0|off} or audit={1|on}.
> + */
> static int __init audit_enable(char *str)
> {
> - long val;
> -
> - if (kstrtol(str, 0, &val))
> - panic("audit: invalid 'audit' parameter value (%s)\n", str);
> - audit_default = (val ? AUDIT_ON : AUDIT_OFF);
> + if (!strcasecmp(str, "off") || !strcmp(str, "0"))
> + audit_default = AUDIT_OFF;
> + else if (!strcasecmp(str, "on") || !strcmp(str, "1"))
> + audit_default = AUDIT_ON;
> + else {
> + pr_err("audit: invalid 'audit' parameter value (%s)\n", str);
> + audit_default = AUDIT_ON;
> + }
>
> if (audit_default == AUDIT_OFF)
> audit_initialized = AUDIT_DISABLED;
> if (audit_set_enabled(audit_default))
> - panic("audit: error setting audit state (%d)\n", audit_default);
> + pr_err("audit: error setting audit state (%d)\n",
> +audit_default);
This patch looks good.
However, I wonder if this second panic should be left alone, since it
isn't related to the two audit_default options above.
audit_set_enabled() can't be sent AUDIT_LOCKED from here, there must be
an error returned from looking up the security context when trying to
log the config change. There is already an audit_panic when that is
detected, but this is so early that audit_panic won't be configured to
panic yet and defaults to printk. If it is also so early that no LSMs
have been loaded yet then this concern is moot. There is still the
question of just how useful it is to panic this early.
> pr_info("%s\n", audit_default ?
> "enabled (after initialization)" : "disabled (until reboot)");
> --
> 2.14.3
>
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit watch rules and docker containers
On Mon, 5 Mar 2018 03:06:44 + (UTC) Rakesh wrote: > Hi Steve, > Thanks for taking the time to look at it. I have been following the > conversation on adding container support to audit, however I am not > looking for container id in the event. I did some more tests and find > it works as expected for syscalls - -a always,exit -F arch=b64 -S > connect -F exit!=-ENOENT -F key=connect > > and the audit event in log is - > arch=c03e syscall=42 success=yes exit=0 a0=1 a1=5562d1bb40f8 > a2=16 a3=7ffd9db76460 items=1 ppid=2 pid=60470 auid=4294967295 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > ses=4294967295 comm="systemd-cgroups" > exe="/lib/systemd/systemd-cgroups-agent" key="connect" > > Bit it's the watch events which are not working. Watches are a convenience that changes a human path into a device and inode. That is really what is watched. I think that if you have a watch on /etc/passwd, and a container has its own /etc/passwd, then you will have a different inode if not device. Hopefully this is being taken into account with the redesign or at least the ability to express that you want them all somehow. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] audit: do not panic on invalid boot parameter
If you pass in an invalid audit boot parameter value, e.g. "audit=off",
the kernel panics very early in boot before the regular console is
initialized. Unless you have earlyprintk enabled, there is no
indication of what the problem is on the console.
Convert the panic() calls to pr_err(), and leave auditing enabled if an
invalid parameter value was passed in.
Modify the parameter to also accept "on" or "off" as valid values, and
update the documentation accordingly.
Signed-off-by: Greg Edwards
---
Changes v2 -> v3:
- convert panic() calls to pr_err()
- add handling of "on"/"off" as valid values
- update documentation
Changes v1 -> v2:
- default to auditing enabled for the error case
Documentation/admin-guide/kernel-parameters.txt | 14 +++---
kernel/audit.c | 21 ++---
2 files changed, 21 insertions(+), 14 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt
b/Documentation/admin-guide/kernel-parameters.txt
index 1d1d53f85ddd..0b926779315c 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -389,15 +389,15 @@
Use software keyboard repeat
audit= [KNL] Enable the audit sub-system
- Format: { "0" | "1" } (0 = disabled, 1 = enabled)
- 0 - kernel audit is disabled and can not be enabled
- until the next reboot
+ Format: { "0" | "1" | "off" | "on" }
+ 0 | off - kernel audit is disabled and can not be
+ enabled until the next reboot
unset - kernel audit is initialized but disabled and
will be fully enabled by the userspace auditd.
- 1 - kernel audit is initialized and partially enabled,
- storing at most audit_backlog_limit messages in
- RAM until it is fully enabled by the userspace
- auditd.
+ 1 | on - kernel audit is initialized and partially
+ enabled, storing at most audit_backlog_limit
+ messages in RAM until it is fully enabled by the
+ userspace auditd.
Default: unset
audit_backlog_limit= [KNL] Set the audit queue size limit.
diff --git a/kernel/audit.c b/kernel/audit.c
index 227db99b0f19..8fccea5ded71 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1567,19 +1567,26 @@ static int __init audit_init(void)
}
postcore_initcall(audit_init);
-/* Process kernel command-line parameter at boot time. audit=0 or audit=1. */
+/*
+ * Process kernel command-line parameter at boot time.
+ * audit={0|off} or audit={1|on}.
+ */
static int __init audit_enable(char *str)
{
- long val;
-
- if (kstrtol(str, 0, &val))
- panic("audit: invalid 'audit' parameter value (%s)\n", str);
- audit_default = (val ? AUDIT_ON : AUDIT_OFF);
+ if (!strcasecmp(str, "off") || !strcmp(str, "0"))
+ audit_default = AUDIT_OFF;
+ else if (!strcasecmp(str, "on") || !strcmp(str, "1"))
+ audit_default = AUDIT_ON;
+ else {
+ pr_err("audit: invalid 'audit' parameter value (%s)\n", str);
+ audit_default = AUDIT_ON;
+ }
if (audit_default == AUDIT_OFF)
audit_initialized = AUDIT_DISABLED;
if (audit_set_enabled(audit_default))
- panic("audit: error setting audit state (%d)\n", audit_default);
+ pr_err("audit: error setting audit state (%d)\n",
+ audit_default);
pr_info("%s\n", audit_default ?
"enabled (after initialization)" : "disabled (until reboot)");
--
2.14.3
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit watch rules and docker containers
Hi Richard, Thanks for reviewing the email and my apologies for the formatting issue. This response corrects that. I looked at Steve's response (with the embedded link) and have also followed your presentation on youtube however I am not clear on the proposed change(s) which will allow the mnt space to be shared between the host and the privileged container. Is this use case even being considered? Thanks, Rakesh From: Richard Guy Briggs To: Rakesh Cc: "linux-audit@redhat.com" Sent: Sunday, March 4, 2018 11:14 PM Subject: Re: audit watch rules and docker containers On 2018-03-03 08:52, Rakesh wrote: > Hello Auditd'ers, Hi Rakesh, (I see, with difficulty, that your output is well-formatted in the HTML attachment, but that isn't useful. Please shut off HTML message formatting and ensure that it looks right in plain text. Also, please use "ls -l" so it sorts in a meaningful order for comparison.) > I am running a privileged container with pid, net, uts space shared with the > host. The need is to be able to set file watch rules from the container say > -k /etc -p rw -k containter_rule > and then look for read/write access to files/directories in /var/log/audit/*. > What I am finding is there are no watch events being logged > If I set the same audit watch rule from the host (and not being in the > privileged container) I am able to get audit events > Using nsenter to switch namespace (nsenter -t 1 auditctl -k /etc -p rw -k > containter_rule) does not help either > I suspect the mnt namespace is different which is causing this oddity in > behavior > looking at container process namespace - > test@ubuntu-16:~/audit$ sudo ls -latr /proc/26050/ns[sudo] password for > test:total 0dr-xr-xr-x 9 root root 0 Mar 2 16:58 ..dr-x--x--x 2 root root 0 > Mar 2 17:46 .lrwxrwxrwx 1 root root 0 Mar 2 17:46 uts -> > uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar 2 17:46 user -> > user:[4026531837]lrwxrwxrwx 1 root root 0 Mar 2 17:46 pid -> > pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2 17:46 net -> > net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 17:46 mnt -> > mnt:[4026532517]lrwxrwxrwx 1 root root 0 Mar 2 17:46 ipc -> > ipc:[4026532518]lrwxrwxrwx 1 root root 0 Mar 2 17:46 cgroup -> > cgroup:[4026531835] > looking at init process namespace - > > test@ubuntu-16:~/audit$ sudo ls -latr /proc/1/nstotal 0dr-xr-xr-x 9 root > root 0 Mar 2 10:37 ..lrwxrwxrwx 1 root root 0 Mar 2 10:38 mnt -> > mnt:[4026531840]dr-x--x--x 2 root root 0 Mar 2 10:38 .lrwxrwxrwx 1 root root > 0 Mar 2 16:47 uts -> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar 2 16:47 > user -> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar 2 16:47 pid -> > pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2 16:47 net -> > net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 16:47 ipc -> > ipc:[4026531839]lrwxrwxrwx 1 root root 0 Mar 2 16:47 cgroup -> > cgroup:[4026531835] After decoding your jumbled mess of output due to HTML and ls options choices, the mount namespaces are different, which would completely explain the problem. > Can someone please suggest with some thoughts on how to make this work. The pending container support mentioned by Steve is not yet complete and some more of the coming changes may help with your issue, but start by understanding that you are examining different filesystems with your rules above. > Thanks,Rakesh - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] audit: add containerid support for IMA-audit
On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote: > On 2018-03-05 08:43, Mimi Zohar wrote: > > Hi Richard, > > > > This patch has been compiled, but not runtime tested. > > Ok, great, thank you. I assume you are offering this patch to be > included in this patchset? Yes, thank you. > I'll have a look to see where it fits in the > IMA record. It might be better if it were an AUDIT_CONTAINER_INFO > auxiliary record, but I'll have a look at the circumstances of the > event. Can you suggest a procedure to test it? Like IMA-measurement and IMA-appraisal, IMA-audit is enabled based on policy. The example IMA policy, below, includes IMA-audit messages for files executed. 'cat' the policy to /sys/kernel/security/ima/policy. /etc/ima/ima-policy: audit func=BPRM_CHECK There's a FireEye blog titled "Extending Linux Executable Logging With The Integrity Measurement Architecture"* that explains how to augment their existing system security analytics with file hashes. * https://www.fireeye.com/blog/threat-research/2016/11/extending_linux _exec.html Mimi > > > --- > > > > If the containerid is defined, include it in the IMA-audit record. > > > > Signed-off-by: Mimi Zohar > > --- > > security/integrity/ima/ima_api.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/security/integrity/ima/ima_api.c > > b/security/integrity/ima/ima_api.c > > index 33b4458cdbef..41d29a06f28f 100644 > > --- a/security/integrity/ima/ima_api.c > > +++ b/security/integrity/ima/ima_api.c > > @@ -335,6 +335,9 @@ void ima_audit_measurement(struct integrity_iint_cache > > *iint, > > audit_log_untrustedstring(ab, algo_hash); > > > > audit_log_task_info(ab, current); > > + if (audit_containerid_set(current)) > > + audit_log_format(ab, " contid=%llu", > > +audit_get_containerid(current)); > > audit_log_end(ab); > > > > iint->flags |= IMA_AUDITED; > > -- > > 2.7.5 > > > > - RGB > > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] audit: add containerid support for IMA-audit
On 2018-03-05 08:43, Mimi Zohar wrote: > Hi Richard, > > This patch has been compiled, but not runtime tested. Ok, great, thank you. I assume you are offering this patch to be included in this patchset? I'll have a look to see where it fits in the IMA record. It might be better if it were an AUDIT_CONTAINER_INFO auxiliary record, but I'll have a look at the circumstances of the event. Can you suggest a procedure to test it? > --- > > If the containerid is defined, include it in the IMA-audit record. > > Signed-off-by: Mimi Zohar > --- > security/integrity/ima/ima_api.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/security/integrity/ima/ima_api.c > b/security/integrity/ima/ima_api.c > index 33b4458cdbef..41d29a06f28f 100644 > --- a/security/integrity/ima/ima_api.c > +++ b/security/integrity/ima/ima_api.c > @@ -335,6 +335,9 @@ void ima_audit_measurement(struct integrity_iint_cache > *iint, > audit_log_untrustedstring(ab, algo_hash); > > audit_log_task_info(ab, current); > + if (audit_containerid_set(current)) > + audit_log_format(ab, " contid=%llu", > + audit_get_containerid(current)); > audit_log_end(ab); > > iint->flags |= IMA_AUDITED; > -- > 2.7.5 > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH] audit: add containerid support for IMA-audit
Hi Richard, This patch has been compiled, but not runtime tested. --- If the containerid is defined, include it in the IMA-audit record. Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_api.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 33b4458cdbef..41d29a06f28f 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -335,6 +335,9 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, audit_log_untrustedstring(ab, algo_hash); audit_log_task_info(ab, current); + if (audit_containerid_set(current)) + audit_log_format(ab, " contid=%llu", +audit_get_containerid(current)); audit_log_end(ab); iint->flags |= IMA_AUDITED; -- 2.7.5 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH V1 00/12] audit: implement container id
On Sun, 2018-03-04 at 22:31 -0500, Richard Guy Briggs wrote:
> On 2018-03-04 16:55, Mimi Zohar wrote:
> > On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote:
> > > Implement audit kernel container ID.
> > >
> > > This patchset is a preliminary RFC based on the proposal document (V3)
> > > posted:
> > > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
> > >
> > > The first patch implements the proc fs write to set the audit container
> > > ID of a process, emitting an AUDIT_CONTAINER record.
> > >
> > > The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO
> > > if a container ID is present on a task.
> > >
> > > The third adds filtering to the exit, exclude and user lists.
> > >
> > > The 4th, implements reading the container ID from the proc filesystem
> > > for debugging. This isn't planned for upstream inclusion.
> > >
> > > The 5th adds signal and ptrace support.
> > >
> > > The 6th attempts to create a local audit context to be able to bind a
> > > standalone record with the container ID record.
> > >
> > > The 7th, 8th, 9th, 10th patches add container ID records to standalone
> > > records. Some of these may end up being syscall auxiliary records and
> > > won't need this specific support since they'll be supported via
> > > syscalls.
> > >
> > > The 11th is a temporary workaround due to the AUDIT_CONTAINER records
> > > not showing up as do AUDIT_LOGIN records. I suspect this is due to its
> > > range (1000 vs 1300), but the intent is to solve it.
> > >
> > > The 12th adds debug information not intended for upstream for those
> > > brave souls wanting to tinker with it in this early state.
> > >
> > > Feedback please!
> >
> > Which tree can this patch set be applied to?
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
Thanks, that worked. In case anyone else is trying to apply these
patches to a 4.16.0-rc based kernel, commit 4e7e3adbba52 ("Expand
various INIT_* macros and remove") moved .sessionid
to init/init_task.c.
Mimi
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH V1 01/12] audit: add container id
On 2018-03-04 10:01, Paul Moore wrote:
> On Sat, Mar 3, 2018 at 4:19 AM, Serge E. Hallyn wrote:
> > On Thu, Mar 01, 2018 at 02:41:04PM -0500, Richard Guy Briggs wrote:
> > ...
> >> +static inline bool audit_containerid_set(struct task_struct *tsk)
> >
> > Hi Richard,
> >
> > the calls to audit_containerid_set() confused me. Could you make it
> > is_audit_containerid_set() or audit_containerid_isset()?
>
> I haven't gone through the entire patchset yet, but I wanted to
> quickly comment on this ... I really dislike the
> function-names-as-sentences approach and would would greatly prefer
> audit_containerid_isset().
I'd be ok with this latter if necessary, but the naming mimics the
existing loginuid naming convention.
> >> +{
> >> + return audit_get_containerid(tsk) != INVALID_CID;
> >> +}
>
> paul moore
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
[RFC PATCH] auditctl: add support for containerid filter
A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.
Add support to libaudit and auditctl for the containerid field to filter
based on container identifier. Since it is a u64 and larger than any
other numeric field, send it as a string but do the appropriate
conversions on each end in each direction.
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/32
See: https://github.com/linux-audit/audit-testsuite/issues/64
Signed-off-by: Richard Guy Briggs
---
Note: This is a userspace patch for the audit utils to support the
kernel RFC patchset, in optimism of kernel support acceptance.
ausearch would also need support added.
---
docs/auditctl.8| 3 +++
lib/fieldtab.h | 1 +
lib/libaudit.c | 36
lib/libaudit.h | 7 +++
src/auditctl-listing.c | 21 +
5 files changed, 68 insertions(+)
diff --git a/docs/auditctl.8 b/docs/auditctl.8
index 88466de..8bda43d 100644
--- a/docs/auditctl.8
+++ b/docs/auditctl.8
@@ -210,6 +210,9 @@ Parent's Process ID
.B sessionid
User's login session ID
.TP
+.B containerid
+Process' container ID
+.TP
.B subj_user
Program's SE Linux User
.TP
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index c425d5b..755800a 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE, "obj_type" )
_S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" )
_S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" )
_S(AUDIT_SESSIONID,"sessionid")
+_S(AUDIT_CONTAINERID, "containerid" )
_S(AUDIT_DEVMAJOR, "devmajor" )
_S(AUDIT_DEVMINOR, "devminor" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index aa8258c..2e01a22 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1737,6 +1737,42 @@ int audit_rule_fieldpair_data(struct audit_rule_data
**rulep, const char *pair,
else if (strcmp(v, "unset") == 0)
rule->values[rule->field_count] = 4294967295;
break;
+ case AUDIT_CONTAINERID: {
+ unsigned long long val;
+
+ if ((audit_get_features() &
+ AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER) == 0)
+ return -EAU_FIELDNOSUPPORT;
+ if (flags != AUDIT_FILTER_EXCLUDE &&
+ flags != AUDIT_FILTER_USER &&
+ flags != AUDIT_FILTER_EXIT)
+ return -EAU_FIELDNOFILTER;
+ if (isdigit((char)*(v)))
+ val = strtoull(v, NULL, 0);
+ else if (strlen(v) >= 2 && *(v)=='-' &&
+ (isdigit((char)*(v+1
+ val = strtoll(v, NULL, 0);
+ else if (strcmp(v, "unset") == 0)
+ val = ULLONG_MAX;
+ else
+ return -EAU_FIELDVALNUM;
+ if (errno)
+ return -EAU_FIELDVALNUM;
+ vlen = sizeof(unsigned long long);
+ rule->values[rule->field_count] = vlen;
+ offset = rule->buflen;
+ rule->buflen += vlen;
+ *rulep = realloc(rule, sizeof(*rule) + rule->buflen);
+ if (*rulep == NULL) {
+ free(rule);
+ audit_msg(LOG_ERR, "Cannot realloc memory!\n");
+ return -3;
+ } else {
+ rule = *rulep;
+ }
+ *(unsigned long long*)(&rule->buf[offset]) = val;
+ break;
+ }
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
diff --git a/lib/libaudit.h b/lib/libaudit.h
index b681e8d..542ec62 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -320,6 +320,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_FILTER_FS
#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x0040
#endif
+#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER
+#define AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER 0x0080
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
@@ -343,6 +346,10 @@ extern "C" {
#define AUDIT_FSTYPE 26
#endif
+#ifndef AUDIT_CONTAINERID
+#define AUDIT_CONTAINERID 27
+#endif
+
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#endif
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index f670ff9.
