[PATCH][RFC] audit: log namespace inode numbers

Richard Guy Briggs rgb at redhat.com
Sat Dec 21 03:32:29 UTC 2013 

Log the namespace details of a task.
---

Does anyone have comments on this patch?

I'm looking for guidance on which types of messages should have namespace
information included.  I've included too many, I suspect.

I also wonder if displaying these inode numbers in hexadecimal makes more sense
than decimal, since they are all based around 0xF0000000.  These are all with
reference to the proc filesystem, so a device number should not be necessary to
qualify them.


 include/linux/audit.h |    1 +
 kernel/audit.c        |   29 +++++++++++++++++++++++++++++
 kernel/audit_watch.c  |    1 +
 kernel/auditfilter.c  |    1 +
 kernel/auditsc.c      |    5 +++++
 5 files changed, 37 insertions(+), 0 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 6976219..75fa602 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
 struct filename;
 
 extern void audit_log_session_info(struct audit_buffer *ab);
+extern void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk);
 
 #ifdef CONFIG_AUDITSYSCALL
 /* These are defined in auditsc.c */
diff --git a/kernel/audit.c b/kernel/audit.c
index dc03a30..b4c39a9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -62,7 +62,15 @@
 #endif
 #include <linux/freezer.h>
 #include <linux/tty.h>
+#include <linux/nsproxy.h>
+#include <linux/utsname.h>
+#include <linux/ipc_namespace.h>
+#include "../fs/mount.h"
+#include <linux/mount.h>
+#include <linux/mnt_namespace.h>
 #include <linux/pid_namespace.h>
+#include <net/net_namespace.h>
+#include <linux/user_namespace.h>
 #include <net/netns/generic.h>
 
 #include "audit.h"
@@ -292,6 +300,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
 		return rc;
 	audit_log_format(ab, "%s=%d old=%d", function_name, new, old);
 	audit_log_session_info(ab);
+	audit_log_namespace_info(ab, current);
 	rc = audit_log_task_context(ab);
 	if (rc)
 		allow_changes = 0; /* Something weird, deny request */
@@ -657,6 +666,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type)
 		return rc;
 	audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current), uid);
 	audit_log_session_info(*ab);
+	audit_log_namespace_info(*ab, current);
 	audit_log_task_context(*ab);
 
 	return rc;
@@ -689,6 +699,7 @@ static void audit_log_feature_change(int which, u32 old_feature, u32 new_feature
 		return;
 
 	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+	audit_log_namespace_info(ab, current);
 	audit_log_format(ab, "feature=%s old=%d new=%d old_lock=%d new_lock=%d res=%d",
 			 audit_feature_names[which], !!old_feature, !!new_feature,
 			 !!old_lock, !!new_lock, res);
@@ -1621,6 +1632,23 @@ void audit_log_session_info(struct audit_buffer *ab)
 	audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
 }
 
+void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct *tsk)
+{
+	struct nsproxy *nsproxy;
+
+	rcu_read_lock();
+	audit_log_format(ab, " pidns=%x", task_active_pid_ns(tsk)->proc_inum);
+	nsproxy = task_nsproxy(tsk);
+	if (nsproxy != NULL) {   
+		audit_log_format(ab, " usrns=%x", nsproxy->net_ns->user_ns->proc_inum);
+		audit_log_format(ab, " utsns=%x", nsproxy->uts_ns->proc_inum);
+		audit_log_format(ab, " ipcns=%x", nsproxy->ipc_ns->proc_inum);
+		audit_log_format(ab, " mntns=%x", nsproxy->mnt_ns->proc_inum);
+		audit_log_format(ab, " netns=%x", nsproxy->net_ns->proc_inum);
+	}
+	rcu_read_unlock();      
+}
+
 void audit_log_key(struct audit_buffer *ab, char *key)
 {
 	audit_log_format(ab, " key=");
@@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char *operation, struct path *link)
 		goto out;
 	audit_log_format(ab, "op=%s", operation);
 	audit_log_task_info(ab, current);
+	audit_log_namespace_info(ab, current);
 	audit_log_format(ab, " res=0");
 	audit_log_end(ab);
 
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 22831c4..2382a3e 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -245,6 +245,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
 		audit_log_format(ab, "auid=%u ses=%u op=",
 				 from_kuid(&init_user_ns, audit_get_loginuid(current)),
 				 audit_get_sessionid(current));
+	audit_log_namespace_info(ab, current);
 		audit_log_string(ab, op);
 		audit_log_format(ab, " path=");
 		audit_log_untrustedstring(ab, w->path);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 14a78cc..9c4b004 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char *action, struct audit_krule *rule, int re
 	if (!ab)
 		return;
 	audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
+	audit_log_namespace_info(ab, current);
 	audit_log_task_context(ab);
 	audit_log_format(ab, " op=");
 	audit_log_string(ab, action);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 10176cd..3c73a3b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -974,6 +974,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
 			 from_kuid(&init_user_ns, auid),
 			 from_kuid(&init_user_ns, uid), sessionid);
+	audit_log_namespace_info(ab, current);
 	if (sid) {
 		if (security_secid_to_secctx(sid, &ctx, &len)) {
 			audit_log_format(ab, " obj=(none)");
@@ -1302,6 +1303,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 			 context->name_count);
 
 	audit_log_task_info(ab, tsk);
+	audit_log_namespace_info(ab, current);
 	audit_log_key(ab, context->filterkey);
 	audit_log_end(ab);
 
@@ -1987,6 +1989,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
 			 current->pid, uid,
 			 oldloginuid, loginuid, oldsessionid, sessionid,
 			 !rc);
+	audit_log_namespace_info(ab, current);
 	audit_log_end(ab);
 }
 
@@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
 	if (unlikely(!ab))
 		return;
 	audit_log_task(ab);
+	audit_log_namespace_info(ab, current);
 	audit_log_format(ab, " sig=%ld", signr);
 	audit_log_end(ab);
 }
@@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
 	if (unlikely(!ab))
 		return;
 	audit_log_task(ab);
+	audit_log_namespace_info(ab, current);
 	audit_log_format(ab, " sig=%ld", signr);
 	audit_log_format(ab, " syscall=%ld", syscall);
 	audit_log_format(ab, " compat=%d", is_compat_task());
-- 
1.7.1

More information about the Linux-audit mailing list