[PATCH RFC 7/8] audit: report namespace information along with USER events

Fri Jan 24 06:19:25 UTC 2014

On 13/03/18, Eric W. Biederman wrote:
> Aristeu Rozanski <arozansk at redhat.com> writes:

(Digging up an old thread...)

> > For userspace generated events, include a record with the namespace
> > procfs inode numbers the process belongs to. This allows to track down
> > and filter audit messages by userspace.
> 
> I am not comfortable with using the inode numbers this way.  It does not
> pass the test of can I migrate a container and still have this work
> test.  Any kind of kernel assigned name for namespaces fails that test.

Any kind?  How about if we have a systemwide atomically incremented
serial number assigned every time a namespace is created?  This is close
to what the inode number was except the inode could be in a different
proc device, as pointed out.

> I also don't like that you don't include the procfs device number.  An
> inode number means nothing without knowing which filesystem you are
> referring to.

I'm looking at having everything relative to init_*_ns to start with, so
this isn't a problem initially, but may become so if it isn't the case.

Can anyone point out off-hand how to find that proc device number?
(I'll start looking...)

> It may never happen but I reserve the right to have the inode numbers
> for namespaces to show up differently in different instances of procfs.

So would that serial number idea work better?

> Beyond that I think this usage is possibly buggy by using two audit
> records for one event.

I'm looking at integrating this information into a standard message.

> > Signed-off-by: Aristeu Rozanski <arozansk at redhat.com>
> > ---
> >  include/uapi/linux/audit.h |    1 +
> >  kernel/audit.c             |   51 +++++++++++++++++++++++++++++++++++++++++++-
> >  2 files changed, 51 insertions(+), 1 deletions(-)
> >
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 9f096f1..3ec3ccb 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -106,6 +106,7 @@
> >  #define AUDIT_NETFILTER_PKT	1324	/* Packets traversing netfilter chains */
> >  #define AUDIT_NETFILTER_CFG	1325	/* Netfilter chain modifications */
> >  #define AUDIT_SECCOMP		1326	/* Secure Computing event */
> > +#define AUDIT_USER_NAMESPACE	1327	/* Information about process' namespaces */
> >  
> >  #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
> >  #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 58db117..b17f9c0 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -62,6 +62,11 @@
> >  #include <linux/freezer.h>
> >  #include <linux/tty.h>
> >  #include <linux/pid_namespace.h>
> > +#include <linux/ipc_namespace.h>
> > +#include <linux/mnt_namespace.h>
> > +#include <linux/utsname.h>
> > +#include <linux/user_namespace.h>
> > +#include <net/net_namespace.h>
> >  
> >  #include "audit.h"
> >  
> > @@ -641,6 +646,49 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
> >  	return rc;
> >  }
> >  
> > +#ifdef CONFIG_NAMESPACES
> > +static int audit_log_namespaces(struct task_struct *tsk,
> > +				struct sk_buff *skb)
> > +{
> > +	struct audit_context *ctx = tsk->audit_context;
> > +	struct audit_buffer *ab;
> > +
> > +	if (!audit_enabled)
> > +		return 0;
> > +
> > +	ab = audit_log_start(ctx, GFP_KERNEL, AUDIT_USER_NAMESPACE);
> > +	if (unlikely(!ab))
> > +		return -ENOMEM;
> > +
> > +	audit_log_format(ab, "mnt=%u", mntns_get_inum(tsk));
> > +#ifdef CONFIG_NET_NS
> > +	audit_log_format(ab, " net=%u", netns_get_inum(tsk));
> > +#endif
> > +#ifdef CONFIG_UTS_NS
> > +	audit_log_format(ab, " uts=%u", utsns_get_inum(tsk));
> > +#endif
> > +#ifdef CONFIG_IPC_NS
> > +	audit_log_format(ab, " ipc=%u", ipcns_get_inum(tsk));
> > +#endif
> > +#ifdef CONFIG_PID_NS
> > +	audit_log_format(ab, " pid=%u", pidns_get_inum(tsk));
> > +#endif
> > +#ifdef CONFIG_USER_NS
> > +	audit_log_format(ab, " user=%u", userns_get_inum(tsk));
> > +#endif  
> > +	audit_set_pid(ab, NETLINK_CB(skb).portid);
> > +	audit_log_end(ab);
> > +
> > +	return 0;
> > +}
> > +#else
> > +static inline int audit_log_namespaces(struct task_struct *tsk,
> > +				       struct sk_buff *skb)
> > +{
> > +	return 0;
> > +}
> > +#endif
> > +
> >  static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> >  {
> >  	u32			seq, sid;
> > @@ -741,7 +789,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> >  			}
> >  			audit_log_common_recv_msg(&ab, msg_type,
> >  						  loginuid, sessionid, sid,
> > -						  NULL);
> > +						  current->audit_context);
> >  
> >  			if (msg_type != AUDIT_USER_TTY)
> >  				audit_log_format(ab, " msg='%.1024s'",
> > @@ -758,6 +806,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> >  			}
> >  			audit_set_pid(ab, NETLINK_CB(skb).portid);
> >  			audit_log_end(ab);
> > +			audit_log_namespaces(current, skb);
> >  		}
> >  		break;
> >  	case AUDIT_ADD:
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545