[RFC PATCH V1 00/12] audit: implement container id
From: Richard Guy Briggs
Date: Thu Mar 01 2018 - 14:46:30 EST
Implement audit kernel container ID.
This patchset is a preliminary RFC based on the proposal document (V3)
posted:
https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
The first patch implements the proc fs write to set the audit container
ID of a process, emitting an AUDIT_CONTAINER record.
The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO
if a container ID is present on a task.
The third adds filtering to the exit, exclude and user lists.
The 4th, implements reading the container ID from the proc filesystem
for debugging. This isn't planned for upstream inclusion.
The 5th adds signal and ptrace support.
The 6th attempts to create a local audit context to be able to bind a
standalone record with the container ID record.
The 7th, 8th, 9th, 10th patches add container ID records to standalone
records. Some of these may end up being syscall auxiliary records and
won't need this specific support since they'll be supported via
syscalls.
The 11th is a temporary workaround due to the AUDIT_CONTAINER records
not showing up as do AUDIT_LOGIN records. I suspect this is due to its
range (1000 vs 1300), but the intent is to solve it.
The 12th adds debug information not intended for upstream for those
brave souls wanting to tinker with it in this early state.
Feedback please!
Here's a quick and dirty test script:
echo 123455 > /proc/$$/containerid; echo $?
sleep 4&
child=$!; sleep 1
echo 18446744073709551615 > /proc/$child/containerid; echo $?
echo 123456 > /proc/$child/containerid; echo $?
echo 123457 > /proc/$child/containerid; echo $?
sleep 1
ausearch -ts recent |grep " contid=18446744073709551615"; echo $?
ausearch -ts recent |grep " contid=123456"; echo $?
ausearch -ts recent |grep " contid=123457"; echo $?
echo self:$$ contid:$( cat /proc/$$/containerid)
echo child:$child contid:$( cat /proc/$child/containerid)
containerid=123458
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule
bash -c "sleep 1; echo test > /tmp/$key"&
child=$!
echo $containerid > /proc/$child/containerid
sleep 2
rm -f /tmp/$key
ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record
auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule
See:
https://github.com/linux-audit/audit-kernel/issues/32
https://github.com/linux-audit/audit-userspace/issues/40
https://github.com/linux-audit/audit-testsuite/issues/64
Richard Guy Briggs (12):
audit: add container id
audit: log container info of syscalls
audit: add containerid filtering
audit: read container ID of a process
audit: add containerid support for ptrace and signals
audit: add support for non-syscall auxiliary records
audit: add container aux record to watch/tree/mark
audit: add containerid support for tty_audit
audit: add containerid support for config/feature/user records
audit: add containerid support for seccomp and anom_abend records
debug audit: add container id
debug! audit: add container id
drivers/tty/tty_audit.c | 5 +-
fs/proc/base.c | 63 +++++++++++++++++++
include/linux/audit.h | 36 +++++++++++
include/linux/init_task.h | 4 +-
include/linux/sched.h | 1 +
include/uapi/linux/audit.h | 9 ++-
kernel/audit.c | 74 +++++++++++++++++++---
kernel/audit.h | 3 +
kernel/audit_fsnotify.c | 5 +-
kernel/audit_tree.c | 5 +-
kernel/audit_watch.c | 33 +++++-----
kernel/auditfilter.c | 52 ++++++++++++++-
kernel/auditsc.c | 154 +++++++++++++++++++++++++++++++++++++++++++--
13 files changed, 408 insertions(+), 36 deletions(-)
--
1.8.3.1