[PATCH][RFC] audit: log namespace inode numbers
Richard Guy Briggs
rgb at redhat.com
Tue Jan 14 18:59:44 UTC 2014
On 14/01/13, Eric Paris wrote:
> Somehow I managed to lose this patch, but a couple of comments.
>
> Didn't Aris do this back at least as far back as March. Might want to
> ask for his work.
>
> audit_log_context() logs the LSM portion of a process. I don't believe
> this should be added to that function.
Agreed. It seemed convenient at the time to drop it in the start of
that function, but it is misleading in name.
It really belongs in audit_log_task() and/or audit_log_task_info() and
those two functions seem redundant to me.
> What happens if namespaces are compiled out?
Good point. That part needs a rework.
> There's got to be more....
>
> On Sat, 2013-12-21 at 04:01 -0500, William Roberts wrote:
> > I'm doing work now involving namespaces....the necessity is real.
> > I'll take a look early next week.
> >
> > On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" <rgb at redhat.com> wrote:
> > Log the namespace details of a task.
> > ---
> >
> > Does anyone have comments on this patch?
> >
> > I'm looking for guidance on which types of messages should
> > have namespace
> > information included. I've included too many, I suspect.
> >
> > I also wonder if displaying these inode numbers in hexadecimal
> > makes more sense
> > than decimal, since they are all based around 0xF0000000.
> > These are all with
> > reference to the proc filesystem, so a device number should
> > not be necessary to
> > qualify them.
> >
> >
> > include/linux/audit.h | 1 +
> > kernel/audit.c | 29 +++++++++++++++++++++++++++++
> > kernel/audit_watch.c | 1 +
> > kernel/auditfilter.c | 1 +
> > kernel/auditsc.c | 5 +++++
> > 5 files changed, 37 insertions(+), 0 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 6976219..75fa602 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
> > struct filename;
> >
> > extern void audit_log_session_info(struct audit_buffer *ab);
> > +extern void audit_log_namespace_info(struct audit_buffer *ab,
> > struct task_struct *tsk);
> >
> > #ifdef CONFIG_AUDITSYSCALL
> > /* These are defined in auditsc.c */
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index dc03a30..b4c39a9 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -62,7 +62,15 @@
> > #endif
> > #include <linux/freezer.h>
> > #include <linux/tty.h>
> > +#include <linux/nsproxy.h>
> > +#include <linux/utsname.h>
> > +#include <linux/ipc_namespace.h>
> > +#include "../fs/mount.h"
> > +#include <linux/mount.h>
> > +#include <linux/mnt_namespace.h>
> > #include <linux/pid_namespace.h>
> > +#include <net/net_namespace.h>
> > +#include <linux/user_namespace.h>
> > #include <net/netns/generic.h>
> >
> > #include "audit.h"
> > @@ -292,6 +300,7 @@ static int audit_log_config_change(char
> > *function_name, int new, int old,
> > return rc;
> > audit_log_format(ab, "%s=%d old=%d", function_name,
> > new, old);
> > audit_log_session_info(ab);
> > + audit_log_namespace_info(ab, current);
> > rc = audit_log_task_context(ab);
> > if (rc)
> > allow_changes = 0; /* Something weird, deny
> > request */
> > @@ -657,6 +666,7 @@ static int
> > audit_log_common_recv_msg(struct audit_buffer **ab, u16
> > msg_type)
> > return rc;
> > audit_log_format(*ab, "pid=%d uid=%u",
> > task_tgid_vnr(current), uid);
> > audit_log_session_info(*ab);
> > + audit_log_namespace_info(*ab, current);
> > audit_log_task_context(*ab);
> >
> > return rc;
> > @@ -689,6 +699,7 @@ static void audit_log_feature_change(int
> > which, u32 old_feature, u32 new_feature
> > return;
> >
> > ab = audit_log_start(NULL, GFP_KERNEL,
> > AUDIT_FEATURE_CHANGE);
> > + audit_log_namespace_info(ab, current);
> > audit_log_format(ab, "feature=%s old=%d new=%d
> > old_lock=%d new_lock=%d res=%d",
> > audit_feature_names[which], !!
> > old_feature, !!new_feature,
> > !!old_lock, !!new_lock, res);
> > @@ -1621,6 +1632,23 @@ void audit_log_session_info(struct
> > audit_buffer *ab)
> > audit_log_format(ab, " auid=%u ses=%u", auid,
> > sessionid);
> > }
> >
> > +void audit_log_namespace_info(struct audit_buffer *ab, struct
> > task_struct *tsk)
> > +{
> > + struct nsproxy *nsproxy;
> > +
> > + rcu_read_lock();
> > + audit_log_format(ab, " pidns=%x",
> > task_active_pid_ns(tsk)->proc_inum);
> > + nsproxy = task_nsproxy(tsk);
> > + if (nsproxy != NULL) {
> > + audit_log_format(ab, " usrns=%x",
> > nsproxy->net_ns->user_ns->proc_inum);
> > + audit_log_format(ab, " utsns=%x",
> > nsproxy->uts_ns->proc_inum);
> > + audit_log_format(ab, " ipcns=%x",
> > nsproxy->ipc_ns->proc_inum);
> > + audit_log_format(ab, " mntns=%x",
> > nsproxy->mnt_ns->proc_inum);
> > + audit_log_format(ab, " netns=%x",
> > nsproxy->net_ns->proc_inum);
> > + }
> > + rcu_read_unlock();
> > +}
> > +
> > void audit_log_key(struct audit_buffer *ab, char *key)
> > {
> > audit_log_format(ab, " key=");
> > @@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char
> > *operation, struct path *link)
> > goto out;
> > audit_log_format(ab, "op=%s", operation);
> > audit_log_task_info(ab, current);
> > + audit_log_namespace_info(ab, current);
> > audit_log_format(ab, " res=0");
> > audit_log_end(ab);
> >
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index 22831c4..2382a3e 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -245,6 +245,7 @@ static void
> > audit_watch_log_rule_change(struct audit_krule *r, struct
> > audit_watc
> > audit_log_format(ab, "auid=%u ses=%u op=",
> > from_kuid(&init_user_ns,
> > audit_get_loginuid(current)),
> >
> > audit_get_sessionid(current));
> > + audit_log_namespace_info(ab, current);
> > audit_log_string(ab, op);
> > audit_log_format(ab, " path=");
> > audit_log_untrustedstring(ab, w->path);
> > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> > index 14a78cc..9c4b004 100644
> > --- a/kernel/auditfilter.c
> > +++ b/kernel/auditfilter.c
> > @@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char
> > *action, struct audit_krule *rule, int re
> > if (!ab)
> > return;
> > audit_log_format(ab, "auid=%u ses=%u" ,loginuid,
> > sessionid);
> > + audit_log_namespace_info(ab, current);
> > audit_log_task_context(ab);
> > audit_log_format(ab, " op=");
> > audit_log_string(ab, action);
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 10176cd..3c73a3b 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -974,6 +974,7 @@ static int audit_log_pid_context(struct
> > audit_context *context, pid_t pid,
> > audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%
> > d", pid,
> > from_kuid(&init_user_ns, auid),
> > from_kuid(&init_user_ns, uid),
> > sessionid);
> > + audit_log_namespace_info(ab, current);
> > if (sid) {
> > if (security_secid_to_secctx(sid, &ctx, &len))
> > {
> > audit_log_format(ab, " obj=(none)");
> > @@ -1302,6 +1303,7 @@ static void audit_log_exit(struct
> > audit_context *context, struct task_struct *ts
> > context->name_count);
> >
> > audit_log_task_info(ab, tsk);
> > + audit_log_namespace_info(ab, current);
> > audit_log_key(ab, context->filterkey);
> > audit_log_end(ab);
> >
> > @@ -1987,6 +1989,7 @@ static void
> > audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> > current->pid, uid,
> > oldloginuid, loginuid, oldsessionid,
> > sessionid,
> > !rc);
> > + audit_log_namespace_info(ab, current);
> > audit_log_end(ab);
> > }
> >
> > @@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
> > if (unlikely(!ab))
> > return;
> > audit_log_task(ab);
> > + audit_log_namespace_info(ab, current);
> > audit_log_format(ab, " sig=%ld", signr);
> > audit_log_end(ab);
> > }
> > @@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long
> > syscall, long signr, int code)
> > if (unlikely(!ab))
> > return;
> > audit_log_task(ab);
> > + audit_log_namespace_info(ab, current);
> > audit_log_format(ab, " sig=%ld", signr);
> > audit_log_format(ab, " syscall=%ld", syscall);
> > audit_log_format(ab, " compat=%d", is_compat_task());
> > --
> > 1.7.1
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list