patch suggested by rgb for fixing auditd logs for clone syscall shows exit code as container namespace pid of child process instead of host namespace

[madz car]

Rgb/Steve,

Appreciate your response on this issue. However, if you would notice the
pid and ppid values in the same log is in the initial namespace, while the
exit code is in a different namespace. Doesnt this make the audit log
inconsistent? How is an application supposed to analyse the logs when a
single log spans multiple namespaces ? How does an application parsing the
logs get to know if its actually a different pid namespace other than
relying on audit to provide consistent information in the log?

I agree it can mess up other system calls, but atleast in this case for
clone, this issue should be fixed somehow. The audit logs having pid and
ppids in different namespace and exit codes in different namespace is just
making the log impossible to parse. Some of these connections(ssh etc) can
be extremely shortlived and as such audit logs are the only way to track
such events which is not possible without fixing this issue.

Shouldnt we use one namespace in the log and as such all pid, ppids and
exit codes should be translated to that namespace for the log ?

Regards,
Madzcar

On Mon, Jan 8, 2018 at 6:23 PM, Richard Guy Briggs <rgb at redhat.com> wrote:

> On 2018-01-05 13:07, Steve Grubb wrote:
> > On Friday, January 5, 2018 6:00:01 AM EST madz car wrote:
> > > Hi Guys,
> > >
> > > Please refer to the issue details at github :
> > > https://github.com/linux-audit/audit-kernel/issues/68
> > >
> > > Here is a patch as suggested by rgb, i can confirm that it works.
> >
> > By hooking this function, doesn't this change the return code for all
> > syscalls?
>
> Yes, you are right, Steve.  This would give bogus return values for all
> other syscalls.
>
> Madzcar, I assume you can confirm that this patch will give incorrect
> results for all other syscalls for the "exit" field.
>
> So, that should be in kernel/fork.c:_do_fork(), or rather, just replace
> the pid_vnr() call with pid_nr().  However, this will mess up all
> callers (clone(2), fork(2), vfork(2) kernel_thread(), do_fork()), who
> expect the return value in the caller's PID namespace, so that won't
> work.  The return value is technically correct for the PID namespace
> from which it was called and reported correctly in the audit record.
>
> Madzcar, the way you are trying to interpret the results from the audit
> record is clever, but not going to work without another way to translate
> that value lifted out of the audit record.
>
> I don't know if there is a userspace tool or call to translate PIDs
> between namespaces.
>
> > -Steve
> >
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index ecc23e2..9a78ecb 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -1557,6 +1557,11 @@ void __audit_syscall_exit(int success, long
> > > return_code)
> > >  {
> > >         struct task_struct *tsk = current;
> > >         struct audit_context *context;
> > > +
> > > +        rcu_read_lock();
> > > +        return_code = pid_nr(find_vpid((int) return_code));
> > > +        rcu_read_unlock();
> > > +
> > >
> > >         if (success)
> > >                 success = AUDITSC_SUCCESS;
> > >
> > >
> > > Kindly review.
> > >
> > > Regards,
> > > Madzcar
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180108/2b7a0473/attachment.htm>