patch suggested by rgb for fixing auditd logs for clone syscall shows exit code as container namespace pid of child process instead of host namespace

Richard Guy Briggs rgb at redhat.com
Mon Jan 8 12:53:08 UTC 2018


On 2018-01-05 13:07, Steve Grubb wrote:
> On Friday, January 5, 2018 6:00:01 AM EST madz car wrote:
> > Hi Guys,
> > 
> > Please refer to the issue details at github :
> > https://github.com/linux-audit/audit-kernel/issues/68
> > 
> > Here is a patch as suggested by rgb, i can confirm that it works.
> 
> By hooking this function, doesn't this change the return code for all 
> syscalls?

Yes, you are right, Steve.  This would give bogus return values for all
other syscalls.

Madzcar, I assume you can confirm that this patch will give incorrect
results for all other syscalls for the "exit" field.

So, that should be in kernel/fork.c:_do_fork(), or rather, just replace
the pid_vnr() call with pid_nr().  However, this will mess up all
callers (clone(2), fork(2), vfork(2) kernel_thread(), do_fork()), who
expect the return value in the caller's PID namespace, so that won't
work.  The return value is technically correct for the PID namespace
from which it was called and reported correctly in the audit record.

Madzcar, the way you are trying to interpret the results from the audit
record is clever, but not going to work without another way to translate
that value lifted out of the audit record.

I don't know if there is a userspace tool or call to translate PIDs
between namespaces.

> -Steve
> 
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index ecc23e2..9a78ecb 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1557,6 +1557,11 @@ void __audit_syscall_exit(int success, long
> > return_code)
> >  {
> >         struct task_struct *tsk = current;
> >         struct audit_context *context;
> > +
> > +        rcu_read_lock();
> > +        return_code = pid_nr(find_vpid((int) return_code));
> > +        rcu_read_unlock();
> > +
> > 
> >         if (success)
> >                 success = AUDITSC_SUCCESS;
> > 
> > 
> > Kindly review.
> > 
> > Regards,
> > Madzcar

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635




More information about the Linux-audit mailing list