| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Sep 2019 21:27:48 -0400
From: Richard Guy Briggs <rgb@...hat.com>
To: containers@...ts.linux-foundation.org,
Linux-Audit Mailing List <linux-audit@...hat.com>,
LKML <linux-kernel@...r.kernel.org>
Cc: eparis@...isplace.org, Steve Grubb <sgrubb@...hat.com>,
omosnace@...hat.com, Paul Moore <paul@...l-moore.com>,
nhorman@...hat.com, dwalsh@...hat.com, mpatel@...hat.com,
Richard Guy Briggs <rgb@...hat.com>
Subject: [PATCH ghau51/ghau40 v7 08/12] add support for audit_signal_info2
Since a process in a container could potentially signal the audit daemon
(reconfig, terminate, roll log, resume), that audit container identifier
information should be made available to the audit daemon to report the
full provenance of the signal. It is not possible to add it to the
existing audit_signal_info struct without causing a kABI change.
Introduce a new audit message type AUDIT_SIGNAL_INFO2 using a new
audit_sig_info2 struct to be able to transfer this information from
kernel to userspace.
struct audit_sig_info2 {
uid_t uid;
pid_t pid;
uint64_t cid;
char ctx[0];
};
Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
---
auparse/auditd-config.c | 1 +
docs/audit_request_signal_info.3 | 1 +
lib/libaudit.c | 49 +++++++++++++++++++++++++++++++++-------
lib/libaudit.h | 14 ++++++++++++
lib/msg_typetab.h | 1 +
lib/netlink.c | 4 ++++
src/auditd-config.c | 1 +
src/auditd-config.h | 1 +
src/auditd-event.c | 10 +++++++-
src/auditd-reconfig.c | 23 ++++++++++++++-----
src/auditd.c | 3 ++-
11 files changed, 92 insertions(+), 16 deletions(-)
diff --git a/auparse/auditd-config.c b/auparse/auditd-config.c
index 59984b47bd5a..b328f3523c02 100644
--- a/auparse/auditd-config.c
+++ b/auparse/auditd-config.c
@@ -77,6 +77,7 @@ void clear_config(struct daemon_conf *config)
config->sender_uid = 0;
config->sender_pid = 0;
config->sender_ctx = NULL;
+ config->sender_cid = 0;
config->write_logs = 1;
config->log_file = strdup("/var/log/audit/audit.log");
config->log_format = LF_RAW;
diff --git a/docs/audit_request_signal_info.3 b/docs/audit_request_signal_info.3
index b68d7bbefeed..2461940f6622 100644
--- a/docs/audit_request_signal_info.3
+++ b/docs/audit_request_signal_info.3
@@ -14,6 +14,7 @@ audit_request_signal_info requests that the kernel send information about the se
struct audit_sig_info {
uid_t uid;
pid_t pid;
+ uint64_t cid;
char ctx[0];
};
.fi
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 92835a0b35d2..c142a60c52a2 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -25,6 +25,7 @@
#include "config.h"
#include <stdio.h>
#include <stdarg.h>
+#include <stdbool.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
@@ -667,7 +668,11 @@ int audit_request_rules_list_data(int fd)
int audit_request_signal_info(int fd)
{
- int rc = audit_send(fd, AUDIT_SIGNAL_INFO, NULL, 0);
+ int rc;
+ if (audit_get_containerid() == (long long)-2)
+ rc = audit_send(fd, AUDIT_SIGNAL_INFO, NULL, 0);
+ else
+ rc = audit_send(fd, AUDIT_SIGNAL_INFO2, NULL, 0);
if (rc < 0)
audit_msg(LOG_WARNING,
"Error sending signal_info request (%s)",
@@ -675,15 +680,43 @@ int audit_request_signal_info(int fd)
return rc;
}
+bool audit_signal_info_has_ctx(struct audit_reply *rep)
+{
+ if (rep->type == AUDIT_SIGNAL_INFO) {
+ if (rep->len == 24)
+ return true;
+ } else {
+ if(rep->len == 24 + sizeof(uint64_t))
+ return true;
+ }
+ return false;
+}
+
char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res)
{
- if (rep->len == 24)
- snprintf(buf, len, "op=%s auid=%u pid=%d res=%s", op,
- rep->signal_info->uid, rep->signal_info->pid, res);
- else
- snprintf(buf, len, "op=%s auid=%u pid=%d subj=%s res=%s",
- op, rep->signal_info->uid, rep->signal_info->pid,
- rep->signal_info->ctx, res);
+ int c = 0;
+ if (rep->type == AUDIT_SIGNAL_INFO) {
+ c += snprintf(buf + c, len - c, "op=%s auid=%u pid=%d",
+ op,
+ rep->signal_info->uid,
+ rep->signal_info->pid);
+ if (audit_signal_info_has_ctx(rep))
+ c += snprintf(buf + c, len - c, " subj=%s",
+ rep->signal_info->ctx);
+ c += snprintf(buf + c, len - c, " res=%s", res);
+ } else {
+ c += snprintf(buf + c, len - c, "op=%s auid=%u pid=%d",
+ op,
+ rep->signal_info2->uid,
+ rep->signal_info2->pid);
+ if (audit_signal_info_has_ctx(rep))
+ c += snprintf(buf + c, len - c, " subj=%s",
+ rep->signal_info2->ctx);
+ c += snprintf(buf + c, len - c, " res=%s", res);
+ if (rep->signal_info2->cid == (uint64_t)-1)
+ c += snprintf(buf + c, len - c, " contid=%llu",
+ rep->signal_info2->cid);
+ }
return buf;
}
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 9ec37a80bada..29e61c876e4c 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -34,6 +34,7 @@ extern "C" {
#include <linux/netlink.h>
#include <linux/audit.h>
#include <stdarg.h>
+#include <stdbool.h>
#include <syslog.h>
@@ -250,6 +251,10 @@ extern "C" {
#define AUDIT_CONTAINER_OP 1020 /* Container creation notice */
#endif
+#ifndef AUDIT_SIGNAL_INFO2
+#define AUDIT_SIGNAL_INFO2 1021 /* auditd signal sender info */
+#endif
+
#ifndef AUDIT_MMAP
#define AUDIT_MMAP 1323 /* Descriptor and flags in mmap */
#endif
@@ -490,6 +495,13 @@ struct audit_sig_info {
char ctx[0];
};
+struct audit_sig_info2 {
+ uid_t uid;
+ pid_t pid;
+ uint64_t cid;
+ char ctx[0];
+};
+
/* defines for audit subsystem */
#define MAX_AUDIT_MESSAGE_LENGTH 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1
struct audit_message {
@@ -515,6 +527,7 @@ struct audit_reply {
char *message;
struct nlmsgerr *error;
struct audit_sig_info *signal_info;
+ struct audit_sig_info2 *signal_info2;
struct daemon_conf *conf;
#ifdef AUDIT_FEATURE_BITMAP_ALL
struct audit_features *features;
@@ -592,6 +605,7 @@ extern uint32_t audit_get_session(void);
extern uint64_t audit_get_containerid(void);
extern int audit_detect_machine(void);
extern int audit_determine_machine(const char *arch);
+extern bool audit_signal_info_has_ctx(struct audit_reply *rep);
extern char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res);
/* Translation functions */
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index 54fca1193a30..6c786933b63e 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -44,6 +44,7 @@ _S(AUDIT_LOGIN, "LOGIN" )
//_S(AUDIT_TTY_SET, "TTY_SET" )
//_S(AUDIT_SET_FEATURE, "SET_FEATURE" )
//_S(AUDIT_GET_FEATURE, "GET_FEATURE" )
+//_S(AUDIT_SIGNAL_INFO2, "SIGNAL_INFO2" )
_S(AUDIT_CONTAINER_OP, "CONTAINER_OP" )
_S(AUDIT_USER_AUTH, "USER_AUTH" )
_S(AUDIT_USER_ACCT, "USER_ACCT" )
diff --git a/lib/netlink.c b/lib/netlink.c
index caa963b1ddb2..66a3a3b7e83c 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -146,6 +146,7 @@ static int adjust_reply(struct audit_reply *rep, int len)
rep->message = NULL;
rep->error = NULL;
rep->signal_info = NULL;
+ rep->signal_info2 = NULL;
rep->conf = NULL;
#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) && \
defined(HAVE_STRUCT_AUDIT_STATUS_FEATURE_BITMAP)
@@ -194,6 +195,9 @@ static int adjust_reply(struct audit_reply *rep, int len)
case AUDIT_SIGNAL_INFO:
rep->signal_info = NLMSG_DATA(rep->nlh);
break;
+ case AUDIT_SIGNAL_INFO2:
+ rep->signal_info2 = NLMSG_DATA(rep->nlh);
+ break;
}
return len;
}
diff --git a/src/auditd-config.c b/src/auditd-config.c
index ce260de5025a..931bbed22199 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -307,6 +307,7 @@ void clear_config(struct daemon_conf *config)
config->sender_uid = 0;
config->sender_pid = 0;
config->sender_ctx = NULL;
+ config->sender_cid = 0;
config->write_logs = 1;
config->log_file = strdup("/var/log/audit/audit.log");
config->log_format = LF_ENRICHED;
diff --git a/src/auditd-config.h b/src/auditd-config.h
index 50ed3507d34c..c3f8941713e2 100644
--- a/src/auditd-config.h
+++ b/src/auditd-config.h
@@ -49,6 +49,7 @@ struct daemon_conf
uid_t sender_uid; /* the uid for sender of sighup */
pid_t sender_pid; /* the pid for sender of sighup */
const char *sender_ctx; /* the context for the sender of sighup */
+ uint64_t sender_cid; /* the contid for sender of sighup */
unsigned int write_logs;
const char *log_file;
logging_formats log_format;
diff --git a/src/auditd-event.c b/src/auditd-event.c
index 45f12fb31f01..16a51b24f42f 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -1321,6 +1321,7 @@ static void reconfigure(struct auditd_event *e)
uid_t uid = nconf->sender_uid;
pid_t pid = nconf->sender_pid;
const char *ctx = nconf->sender_ctx;
+ uint64_t cid = nconf->sender_cid;
struct timeval tv;
char txt[MAX_AUDIT_MESSAGE_LENGTH];
int txt_len;
@@ -1331,8 +1332,11 @@ static void reconfigure(struct auditd_event *e)
txt_len = snprintf(txt, sizeof(txt),
"config change requested by pid=%d auid=%u", pid, uid);
if (ctx)
+ txt_len += snprintf(txt + txt_len, sizeof(txt) - txt_len,
+ " subj=%s", ctx);
+ if (cid != -1)
snprintf(txt + txt_len, sizeof(txt) - txt_len,
- " subj=%s", ctx);
+ " contid=%llu", (unsigned long long)cid);
audit_msg(LOG_NOTICE, "%s", txt);
/* Do the reconfiguring. These are done in a specific
@@ -1590,6 +1594,10 @@ static void reconfigure(struct auditd_event *e)
e->reply.len += snprintf(e->reply.msg.data + e->reply.len,
MAX_AUDIT_MESSAGE_LENGTH-2 - e->reply.len,
" res=success");
+ if (cid != -1)
+ e->reply.len += snprintf(e->reply.msg.data + e->reply.len,
+ MAX_AUDIT_MESSAGE_LENGTH-2 - e->reply.len,
+ "contid=%llu", (unsigned long long)cid);
e->reply.message = e->reply.msg.data;
free((char *)ctx);
}
diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c
index 1af402526c4e..5d8e4627ddeb 100644
--- a/src/auditd-reconfig.c
+++ b/src/auditd-reconfig.c
@@ -101,11 +101,23 @@ static void *config_thread_main(void *arg)
if (load_config(&new_config, TEST_AUDITD) == 0) {
/* We will re-use the current reply */
- new_config.sender_uid = e->reply.signal_info->uid;
- new_config.sender_pid = e->reply.signal_info->pid;
- if (e->reply.len > 24)
- new_config.sender_ctx =
- strdup(e->reply.signal_info->ctx);
+ if (e->reply.type == AUDIT_SIGNAL_INFO) {
+ new_config.sender_uid = e->reply.signal_info->uid;
+ new_config.sender_pid = e->reply.signal_info->pid;
+ new_config.sender_cid = (uint64_t)-1;
+ } else {
+ new_config.sender_uid = e->reply.signal_info2->uid;
+ new_config.sender_pid = e->reply.signal_info2->pid;
+ new_config.sender_cid = e->reply.signal_info2->cid;
+ }
+ if (audit_signal_info_has_ctx(&e->reply)) {
+ if (e->reply.type == AUDIT_SIGNAL_INFO)
+ new_config.sender_ctx =
+ strdup(e->reply.signal_info->ctx);
+ else
+ new_config.sender_ctx =
+ strdup(e->reply.signal_info2->ctx);
+ }
memcpy(e->reply.msg.data, &new_config, sizeof(new_config));
e->reply.conf = (struct daemon_conf *)e->reply.msg.data;
e->reply.type = AUDIT_DAEMON_RECONFIG;
@@ -125,4 +137,3 @@ static void *config_thread_main(void *arg)
pthread_mutex_unlock(&config_lock);
return NULL;
}
-
diff --git a/src/auditd.c b/src/auditd.c
index ad8fe54f67b4..e027ac7b5d40 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -514,6 +514,7 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io,
case AUDIT_FIRST_DAEMON...AUDIT_LAST_DAEMON:
break;
case AUDIT_SIGNAL_INFO:
+ case AUDIT_SIGNAL_INFO2:
if (hup_info_requested) {
char hup[MAX_AUDIT_MESSAGE_LENGTH];
audit_msg(LOG_DEBUG,
@@ -1075,7 +1076,7 @@ static int get_reply(int fd, struct audit_reply *rep, int seq)
continue;
/* If its not what we are expecting, keep looping */
- if (rep->type == AUDIT_SIGNAL_INFO)
+ if (rep->type == AUDIT_SIGNAL_INFO || rep->type == AUDIT_SIGNAL_INFO2)
return 1;
/* If we get done or error, break out */
--
1.8.3.1
Powered by blists - more mailing lists