| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Jul 2018 10:07:21 -0400
From: Richard Guy Briggs <rgb@...hat.com>
To: Paul Moore <paul@...l-moore.com>
Cc: cgroups@...r.kernel.org, containers@...ts.linux-foundation.org,
linux-api@...r.kernel.org, linux-audit@...hat.com,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, ebiederm@...ssion.com, luto@...nel.org,
jlayton@...hat.com, carlos@...hat.com, dhowells@...hat.com,
viro@...iv.linux.org.uk, simo@...hat.com,
Eric Paris <eparis@...isplace.org>, serge@...lyn.com
Subject: Re: [RFC PATCH ghak90 (was ghak32) V3 05/10] audit: add containerid
support for tty_audit
On 2018-07-20 18:14, Paul Moore wrote:
> On Wed, Jun 6, 2018 at 1:04 PM Richard Guy Briggs <rgb@...hat.com> wrote:
> > Add audit container identifier auxiliary record to tty logging rule
> > event standalone records.
> >
> > Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> > ---
> > drivers/tty/tty_audit.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
> > index e30aa6b..66bd850 100644
> > --- a/drivers/tty/tty_audit.c
> > +++ b/drivers/tty/tty_audit.c
> > @@ -66,8 +66,9 @@ static void tty_audit_log(const char *description, dev_t dev,
> > uid_t uid = from_kuid(&init_user_ns, task_uid(tsk));
> > uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(tsk));
> > unsigned int sessionid = audit_get_sessionid(tsk);
> > + struct audit_context *context = audit_alloc_local();
>
> We should be using current's audit_context in tty_audit_log().
> Actually, we should probably just get rid of the tsk variable in
> tty_audit_log() and use current directly to make things a bit more
> obvious.
Ok, agreed. At this point, it it current passed in anyways so no harm
other than efficiency.
> <time passes>
>
> I did some digging and I have a two year old, half-baked patch that
> cleans up this tsk/current usage as well as a few others. I just
> rebased it against audit/next and surprisingly it seems to pass a
> basic smoke test (kernel boots and audit-testsuite passes); I'll post
> it to the list as a RFC once I'm done reviewing these patches.
I'll leave this patch the way it is since there should be no difference
and trust this other patch will work its way through the system and
solve that.
> > - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY);
> > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_TTY);
> > if (ab) {
> > char name[sizeof(tsk->comm)];
> >
> > @@ -80,6 +81,8 @@ static void tty_audit_log(const char *description, dev_t dev,
> > audit_log_n_hex(ab, data, size);
> > audit_log_end(ab);
> > }
> > + audit_log_contid(context, "tty", audit_get_contid(tsk));
> > + audit_free_context(context);
> > }
>
> --
> paul moore
> www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Powered by blists - more mailing lists