lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 12 May 2015 16:02:45 -0400
From:	Richard Guy Briggs <rgb@...hat.com>
To:	linux-audit@...hat.com, linux-kernel@...r.kernel.org,
	containers@...ts.linux-foundation.org
Cc:	Richard Guy Briggs <rgb@...hat.com>, sgrubb@...hat.com,
	eparis@...isplace.org, pmoore@...hat.com, arozansk@...hat.com,
	ebiederm@...ssion.com, serge@...lyn.com, zohar@...ux.vnet.ibm.com
Subject: [PATCH V7 08/10] fork: audit on creation of new namespace(s) with clone and unshare

When clone(2) is called to fork a new process or unshare(2) creating one or
more namespaces, audit the event to tie the new pid with the namespace IDs.

Added the macro CLONE_NEW_MASK_ALL to refer to all CLONE_NEW* flags.

Cleaned up check_unshare_flags() to make it more readable using this new macro.

Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
---
 include/uapi/linux/sched.h |    6 ++++++
 kernel/fork.c              |   13 +++++++++----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h
index cc89dde..5f03ce9 100644
--- a/include/uapi/linux/sched.h
+++ b/include/uapi/linux/sched.h
@@ -28,6 +28,12 @@
 #define CLONE_NEWUSER		0x10000000	/* New user namespace */
 #define CLONE_NEWPID		0x20000000	/* New pid namespace */
 #define CLONE_NEWNET		0x40000000	/* New network namespace */
+#define CLONE_NEW_MASK_ALL	 (CLONE_NEWNS \
+				| CLONE_NEWUTS \
+				| CLONE_NEWIPC \
+				| CLONE_NEWUSER \
+				| CLONE_NEWPID \
+				| CLONE_NEWNET)	/* mask of all namespace type flags */
 #define CLONE_IO		0x80000000	/* Clone io context */
 
 /*
diff --git a/kernel/fork.c b/kernel/fork.c
index cf65139..c09c5df 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1680,6 +1680,9 @@ long do_fork(unsigned long clone_flags,
 			get_task_struct(p);
 		}
 
+		if (unlikely(clone_flags & CLONE_NEW_MASK_ALL))
+			audit_log_ns_info(p);
+
 		wake_up_new_task(p);
 
 		/* forking complete and child started to run, tell ptracer */
@@ -1802,10 +1805,9 @@ void __init proc_caches_init(void)
  */
 static int check_unshare_flags(unsigned long unshare_flags)
 {
-	if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND|
-				CLONE_VM|CLONE_FILES|CLONE_SYSVSEM|
-				CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNET|
-				CLONE_NEWUSER|CLONE_NEWPID))
+	if (unshare_flags & ~(CLONE_THREAD | CLONE_FS | CLONE_SIGHAND |
+				CLONE_VM | CLONE_FILES | CLONE_SYSVSEM |
+				CLONE_NEW_MASK_ALL))
 		return -EINVAL;
 	/*
 	 * Not implemented, but pretend it works if there is nothing to
@@ -1964,6 +1966,9 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
 			commit_creds(new_cred);
 			new_cred = NULL;
 		}
+
+		if (unshare_flags & CLONE_NEW_MASK_ALL)
+			audit_log_ns_info(current);
 	}
 
 bad_unshare_cleanup_cred:
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ