Re: [RFC PATCH V1 00/12] audit: implement container id

2018-03-05 Thread Mimi Zohar 
On Sun, 2018-03-04 at 22:31 -0500, Richard Guy Briggs wrote:
> On 2018-03-04 16:55, Mimi Zohar wrote:
> > On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote:
> > > Implement audit kernel container ID.
> > > 
> > > This patchset is a preliminary RFC based on the proposal document (V3)
> > > posted:
> > >   https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
> > > 
> > > The first patch implements the proc fs write to set the audit container
> > > ID of a process, emitting an AUDIT_CONTAINER record.
> > > 
> > > The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO
> > > if a container ID is present on a task.
> > > 
> > > The third adds filtering to the exit, exclude and user lists.
> > > 
> > > The 4th, implements reading the container ID from the proc filesystem
> > > for debugging.  This isn't planned for upstream inclusion.
> > > 
> > > The 5th adds signal and ptrace support.
> > > 
> > > The 6th attempts to create a local audit context to be able to bind a
> > > standalone record with the container ID record.
> > > 
> > > The 7th, 8th, 9th, 10th patches add container ID records to standalone
> > > records.  Some of these may end up being syscall auxiliary records and
> > > won't need this specific support since they'll be supported via
> > > syscalls.
> > > 
> > > The 11th is a temporary workaround due to the AUDIT_CONTAINER records
> > > not showing up as do AUDIT_LOGIN records.  I suspect this is due to its
> > > range (1000 vs 1300), but the intent is to solve it.
> > > 
> > > The 12th adds debug information not intended for upstream for those
> > > brave souls wanting to tinker with it in this early state.
> > > 
> > > Feedback please!
> > 
> > Which tree can this patch set be applied to?
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next

Thanks, that worked.  In case anyone else is trying to apply these
patches to a 4.16.0-rc based kernel, commit 4e7e3adbba52 ("Expand
various INIT_* macros and remove") moved .sessionid
to init/init_task.c.

Mimi

Re: [RFC PATCH V1 00/12] audit: implement container id

2018-03-04 Thread Mimi Zohar 
On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote:
> Implement audit kernel container ID.
> 
> This patchset is a preliminary RFC based on the proposal document (V3)
> posted:
>   https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
> 
> The first patch implements the proc fs write to set the audit container
> ID of a process, emitting an AUDIT_CONTAINER record.
> 
> The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO
> if a container ID is present on a task.
> 
> The third adds filtering to the exit, exclude and user lists.
> 
> The 4th, implements reading the container ID from the proc filesystem
> for debugging.  This isn't planned for upstream inclusion.
> 
> The 5th adds signal and ptrace support.
> 
> The 6th attempts to create a local audit context to be able to bind a
> standalone record with the container ID record.
> 
> The 7th, 8th, 9th, 10th patches add container ID records to standalone
> records.  Some of these may end up being syscall auxiliary records and
> won't need this specific support since they'll be supported via
> syscalls.
> 
> The 11th is a temporary workaround due to the AUDIT_CONTAINER records
> not showing up as do AUDIT_LOGIN records.  I suspect this is due to its
> range (1000 vs 1300), but the intent is to solve it.
> 
> The 12th adds debug information not intended for upstream for those
> brave souls wanting to tinker with it in this early state.
> 
> Feedback please!

Which tree can this patch set be applied to?

Mimi

> Here's a quick and dirty test script:
> echo 123455 > /proc/$$/containerid; echo $?
> sleep 4&  
> child=$!; sleep 1
> echo 18446744073709551615 > /proc/$child/containerid; echo $?
> echo 123456 > /proc/$child/containerid; echo $?
> echo 123457 > /proc/$child/containerid; echo $?
> sleep 1
> ausearch -ts recent |grep " contid=18446744073709551615"; echo $?
> ausearch -ts recent |grep " contid=123456"; echo $?
> ausearch -ts recent |grep " contid=123457"; echo $?
> echo self:$$ contid:$( cat /proc/$$/containerid)
> echo child:$child contid:$( cat /proc/$child/containerid)
> 
> containerid=123458
> key=tmpcontainerid
> auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F 
> key=$key || echo failed to add containerid filter rule
> bash -c "sleep 1; echo test > /tmp/$key"&
> child=$!
> echo $containerid > /proc/$child/containerid
> sleep 2
> rm -f /tmp/$key
> ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record
> auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F 
> key=$key || echo failed to add containerid filter rule
> 
> See:
>   https://github.com/linux-audit/audit-kernel/issues/32
>   https://github.com/linux-audit/audit-userspace/issues/40
>   https://github.com/linux-audit/audit-testsuite/issues/64
> 
> Richard Guy Briggs (12):
>   audit: add container id
>   audit: log container info of syscalls
>   audit: add containerid filtering
>   audit: read container ID of a process
>   audit: add containerid support for ptrace and signals
>   audit: add support for non-syscall auxiliary records
>   audit: add container aux record to watch/tree/mark
>   audit: add containerid support for tty_audit
>   audit: add containerid support for config/feature/user records
>   audit: add containerid support for seccomp and anom_abend records
>   debug audit: add container id
>   debug! audit: add container id
> 
>  drivers/tty/tty_audit.c|   5 +-
>  fs/proc/base.c |  63 +++
>  include/linux/audit.h  |  36 +++
>  include/linux/init_task.h  |   4 +-
>  include/linux/sched.h  |   1 +
>  include/uapi/linux/audit.h |   9 ++-
>  kernel/audit.c |  74 +++---
>  kernel/audit.h |   3 +
>  kernel/audit_fsnotify.c|   5 +-
>  kernel/audit_tree.c|   5 +-
>  kernel/audit_watch.c   |  33 +-
>  kernel/auditfilter.c   |  52 ++-
>  kernel/auditsc.c   | 154 
> +++--
>  13 files changed, 408 insertions(+), 36 deletions(-)
>

Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map

2017-08-31 Thread Mimi Zohar 
On Thu, 2017-08-31 at 13:56 -0700, Chenbo Feng wrote:
> From: Chenbo Feng 
> 
> Introduce a pointer into struct bpf_map to hold the security information
> about the map. The actual security struct varies based on the security
> models implemented. Place the LSM hooks before each of the unrestricted
> eBPF operations, the map_update_elem and map_delete_elem operations are
> checked by security_map_modify. The map_lookup_elem and map_get_next_key
> operations are checked by securtiy_map_read.
> 
> Signed-off-by: Chenbo Feng 
> ---
>  include/linux/bpf.h  |  3 +++
>  kernel/bpf/syscall.c | 28 
>  2 files changed, 31 insertions(+)
> 
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index b69e7a5869ff..ca3e6ff7091d 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -53,6 +53,9 @@ struct bpf_map {
>   struct work_struct work;
>   atomic_t usercnt;
>   struct bpf_map *inner_map_meta;
> +#ifdef CONFIG_SECURITY
> + void *security;
> +#endif
>  };
>  
>  /* function argument constraints */
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 045646da97cc..b15580bcf3b1 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -279,6 +279,10 @@ static int map_create(union bpf_attr *attr)
>   if (err)
>   return -EINVAL;
>  
> + err = security_map_create();
> + if (err)
> + return -EACCES;

Any reason not to just return err?

Mimi

> +
>   /* find map type and init map: hashtable vs rbtree vs bloom vs ... */
>   map = find_and_alloc_map(attr);
>   if (IS_ERR(map))
> @@ -291,6 +295,10 @@ static int map_create(union bpf_attr *attr)
>   if (err)
>   goto free_map_nouncharge;
>  
> + err = security_post_create(map);
> + if (err < 0)
> + goto free_map;
> +
>   err = bpf_map_alloc_id(map);
>   if (err)
>   goto free_map;
> @@ -410,6 +418,10 @@ static int map_lookup_elem(union bpf_attr *attr)
>   if (IS_ERR(map))
>   return PTR_ERR(map);
>  
> + err = security_map_read(map);
> + if (err)
> + return -EACCES;
> +
>   key = memdup_user(ukey, map->key_size);
>   if (IS_ERR(key)) {
>   err = PTR_ERR(key);
> @@ -490,6 +502,10 @@ static int map_update_elem(union bpf_attr *attr)
>   if (IS_ERR(map))
>   return PTR_ERR(map);
>  
> + err = security_map_modify(map);
> + if (err)
> + return -EACCES;
> +
>   key = memdup_user(ukey, map->key_size);
>   if (IS_ERR(key)) {
>   err = PTR_ERR(key);
> @@ -573,6 +589,10 @@ static int map_delete_elem(union bpf_attr *attr)
>   if (IS_ERR(map))
>   return PTR_ERR(map);
>  
> + err = security_map_modify(map);
> + if (err)
> + return -EACCES;
> +
>   key = memdup_user(ukey, map->key_size);
>   if (IS_ERR(key)) {
>   err = PTR_ERR(key);
> @@ -616,6 +636,10 @@ static int map_get_next_key(union bpf_attr *attr)
>   if (IS_ERR(map))
>   return PTR_ERR(map);
>  
> + err = security_map_read(map);
> + if (err)
> + return -EACCES;
> +
>   if (ukey) {
>   key = memdup_user(ukey, map->key_size);
>   if (IS_ERR(key)) {
> @@ -935,6 +959,10 @@ static int bpf_prog_load(union bpf_attr *attr)
>   if (CHECK_ATTR(BPF_PROG_LOAD))
>   return -EINVAL;
>  
> + err = security_prog_load();
> + if (err)
> + return -EACCES;
> +
>   if (attr->prog_flags & ~BPF_F_STRICT_ALIGNMENT)
>   return -EINVAL;
>