[RFC PATCH V1 10/12] audit: add containerid support for seccomp and anom_abend records

From: Richard Guy Briggs
Date: Thu Mar 01 2018 - 14:47:26 EST


Add container ID information to secure computing and abnormal end
standalone records.

Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
---
kernel/auditsc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 0cbd762..fcee34e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2569,6 +2569,7 @@ static void audit_log_task(struct audit_buffer *ab)
void audit_core_dumps(long signr)
{
struct audit_buffer *ab;
+ struct audit_context *context = audit_alloc_local();

if (!audit_enabled)
return;
@@ -2576,19 +2577,22 @@ void audit_core_dumps(long signr)
if (signr == SIGQUIT) /* don't care for those */
return;

- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_ANOM_ABEND);
if (unlikely(!ab))
return;
audit_log_task(ab);
audit_log_format(ab, " sig=%ld res=1", signr);
audit_log_end(ab);
+ audit_log_container_info(context, "abend", audit_get_containerid(current));
+ audit_free_context(context);
}

void __audit_seccomp(unsigned long syscall, long signr, int code)
{
struct audit_buffer *ab;
+ struct audit_context *context = audit_alloc_local();

- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_SECCOMP);
if (unlikely(!ab))
return;
audit_log_task(ab);
@@ -2596,6 +2600,8 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
signr, syscall_get_arch(), syscall,
in_compat_syscall(), KSTK_EIP(current), code);
audit_log_end(ab);
+ audit_log_container_info(context, "seccomp", audit_get_containerid(current));
+ audit_free_context(context);
}

struct list_head *audit_killed_trees(void)
--
1.8.3.1