[PATCH][RFC] audit: log namespace inode numbers
Eric Paris
eparis at redhat.com
Tue Jan 14 03:08:53 UTC 2014
Somehow I managed to lose this patch, but a couple of comments.
Didn't Aris do this back at least as far back as March. Might want to
ask for his work.
audit_log_context() logs the LSM portion of a process. I don't believe
this should be added to that function.
What happens if namespaces are compiled out?
There's got to be more....
On Sat, 2013-12-21 at 04:01 -0500, William Roberts wrote:
> I'm doing work now involving namespaces....the necessity is real.
> I'll take a look early next week.
>
> On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" <rgb at redhat.com> wrote:
> Log the namespace details of a task.
> ---
>
> Does anyone have comments on this patch?
>
> I'm looking for guidance on which types of messages should
> have namespace
> information included. I've included too many, I suspect.
>
> I also wonder if displaying these inode numbers in hexadecimal
> makes more sense
> than decimal, since they are all based around 0xF0000000.
> These are all with
> reference to the proc filesystem, so a device number should
> not be necessary to
> qualify them.
>
>
> include/linux/audit.h | 1 +
> kernel/audit.c | 29 +++++++++++++++++++++++++++++
> kernel/audit_watch.c | 1 +
> kernel/auditfilter.c | 1 +
> kernel/auditsc.c | 5 +++++
> 5 files changed, 37 insertions(+), 0 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 6976219..75fa602 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
> struct filename;
>
> extern void audit_log_session_info(struct audit_buffer *ab);
> +extern void audit_log_namespace_info(struct audit_buffer *ab,
> struct task_struct *tsk);
>
> #ifdef CONFIG_AUDITSYSCALL
> /* These are defined in auditsc.c */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index dc03a30..b4c39a9 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -62,7 +62,15 @@
> #endif
> #include <linux/freezer.h>
> #include <linux/tty.h>
> +#include <linux/nsproxy.h>
> +#include <linux/utsname.h>
> +#include <linux/ipc_namespace.h>
> +#include "../fs/mount.h"
> +#include <linux/mount.h>
> +#include <linux/mnt_namespace.h>
> #include <linux/pid_namespace.h>
> +#include <net/net_namespace.h>
> +#include <linux/user_namespace.h>
> #include <net/netns/generic.h>
>
> #include "audit.h"
> @@ -292,6 +300,7 @@ static int audit_log_config_change(char
> *function_name, int new, int old,
> return rc;
> audit_log_format(ab, "%s=%d old=%d", function_name,
> new, old);
> audit_log_session_info(ab);
> + audit_log_namespace_info(ab, current);
> rc = audit_log_task_context(ab);
> if (rc)
> allow_changes = 0; /* Something weird, deny
> request */
> @@ -657,6 +666,7 @@ static int
> audit_log_common_recv_msg(struct audit_buffer **ab, u16
> msg_type)
> return rc;
> audit_log_format(*ab, "pid=%d uid=%u",
> task_tgid_vnr(current), uid);
> audit_log_session_info(*ab);
> + audit_log_namespace_info(*ab, current);
> audit_log_task_context(*ab);
>
> return rc;
> @@ -689,6 +699,7 @@ static void audit_log_feature_change(int
> which, u32 old_feature, u32 new_feature
> return;
>
> ab = audit_log_start(NULL, GFP_KERNEL,
> AUDIT_FEATURE_CHANGE);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, "feature=%s old=%d new=%d
> old_lock=%d new_lock=%d res=%d",
> audit_feature_names[which], !!
> old_feature, !!new_feature,
> !!old_lock, !!new_lock, res);
> @@ -1621,6 +1632,23 @@ void audit_log_session_info(struct
> audit_buffer *ab)
> audit_log_format(ab, " auid=%u ses=%u", auid,
> sessionid);
> }
>
> +void audit_log_namespace_info(struct audit_buffer *ab, struct
> task_struct *tsk)
> +{
> + struct nsproxy *nsproxy;
> +
> + rcu_read_lock();
> + audit_log_format(ab, " pidns=%x",
> task_active_pid_ns(tsk)->proc_inum);
> + nsproxy = task_nsproxy(tsk);
> + if (nsproxy != NULL) {
> + audit_log_format(ab, " usrns=%x",
> nsproxy->net_ns->user_ns->proc_inum);
> + audit_log_format(ab, " utsns=%x",
> nsproxy->uts_ns->proc_inum);
> + audit_log_format(ab, " ipcns=%x",
> nsproxy->ipc_ns->proc_inum);
> + audit_log_format(ab, " mntns=%x",
> nsproxy->mnt_ns->proc_inum);
> + audit_log_format(ab, " netns=%x",
> nsproxy->net_ns->proc_inum);
> + }
> + rcu_read_unlock();
> +}
> +
> void audit_log_key(struct audit_buffer *ab, char *key)
> {
> audit_log_format(ab, " key=");
> @@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char
> *operation, struct path *link)
> goto out;
> audit_log_format(ab, "op=%s", operation);
> audit_log_task_info(ab, current);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " res=0");
> audit_log_end(ab);
>
> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index 22831c4..2382a3e 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -245,6 +245,7 @@ static void
> audit_watch_log_rule_change(struct audit_krule *r, struct
> audit_watc
> audit_log_format(ab, "auid=%u ses=%u op=",
> from_kuid(&init_user_ns,
> audit_get_loginuid(current)),
>
> audit_get_sessionid(current));
> + audit_log_namespace_info(ab, current);
> audit_log_string(ab, op);
> audit_log_format(ab, " path=");
> audit_log_untrustedstring(ab, w->path);
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index 14a78cc..9c4b004 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char
> *action, struct audit_krule *rule, int re
> if (!ab)
> return;
> audit_log_format(ab, "auid=%u ses=%u" ,loginuid,
> sessionid);
> + audit_log_namespace_info(ab, current);
> audit_log_task_context(ab);
> audit_log_format(ab, " op=");
> audit_log_string(ab, action);
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 10176cd..3c73a3b 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -974,6 +974,7 @@ static int audit_log_pid_context(struct
> audit_context *context, pid_t pid,
> audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%
> d", pid,
> from_kuid(&init_user_ns, auid),
> from_kuid(&init_user_ns, uid),
> sessionid);
> + audit_log_namespace_info(ab, current);
> if (sid) {
> if (security_secid_to_secctx(sid, &ctx, &len))
> {
> audit_log_format(ab, " obj=(none)");
> @@ -1302,6 +1303,7 @@ static void audit_log_exit(struct
> audit_context *context, struct task_struct *ts
> context->name_count);
>
> audit_log_task_info(ab, tsk);
> + audit_log_namespace_info(ab, current);
> audit_log_key(ab, context->filterkey);
> audit_log_end(ab);
>
> @@ -1987,6 +1989,7 @@ static void
> audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid,
> current->pid, uid,
> oldloginuid, loginuid, oldsessionid,
> sessionid,
> !rc);
> + audit_log_namespace_info(ab, current);
> audit_log_end(ab);
> }
>
> @@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
> if (unlikely(!ab))
> return;
> audit_log_task(ab);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " sig=%ld", signr);
> audit_log_end(ab);
> }
> @@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long
> syscall, long signr, int code)
> if (unlikely(!ab))
> return;
> audit_log_task(ab);
> + audit_log_namespace_info(ab, current);
> audit_log_format(ab, " sig=%ld", signr);
> audit_log_format(ab, " syscall=%ld", syscall);
> audit_log_format(ab, " compat=%d", is_compat_task());
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list