lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1568856472-10173-13-git-send-email-rgb@redhat.com>
Date:   Wed, 18 Sep 2019 21:27:52 -0400
From:   Richard Guy Briggs <rgb@...hat.com>
To:     containers@...ts.linux-foundation.org,
        Linux-Audit Mailing List <linux-audit@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     eparis@...isplace.org, Steve Grubb <sgrubb@...hat.com>,
        omosnace@...hat.com, Paul Moore <paul@...l-moore.com>,
        nhorman@...hat.com, dwalsh@...hat.com, mpatel@...hat.com,
        Richard Guy Briggs <rgb@...hat.com>
Subject: [PATCH ghau51/ghau40 v7 12/12] libaudit: add support to get and set capcontid on a task

Add support to be able to set a capability to allow a task to set the
audit container identifier of descendants.

See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.

Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
---
 docs/Makefile.am  |  1 +
 lib/libaudit.c    | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/libaudit.h    | 14 +++++++++
 lib/msg_typetab.h |  2 ++
 lib/netlink.c     |  4 +++
 5 files changed, 106 insertions(+)

diff --git a/docs/Makefile.am b/docs/Makefile.am
index 821182315806..8b0e5c2c3730 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -29,6 +29,7 @@ auditd.conf.5 auditd-plugins.5 \
 audit_delete_rule_data.3 audit_detect_machine.3 \
 audit_encode_nv_string.3 audit_getloginuid.3 \
 audit_get_reply.3 audit_get_session.3 audit_get_containerid.3 audit_set_containerid.3 \
+audit_get_capcontid.3 audit_set_capcontid.3 \
 audit_log_acct_message.3 audit_log_user_avc_message.3 \
 audit_log_user_command.3 audit_log_user_comm_message.3 \
 audit_log_user_message.3 audit_log_semanage_message.3 \
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 62e1a2a64ee5..08998610c66a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1026,6 +1026,91 @@ uint32_t audit_get_session(void)
 }
 
 /*
+ * This function will retrieve the capability container identifier or -2 if
+ * there is an error.
+ */
+uint32_t audit_get_capcontid(pid_t pid)
+{
+        if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+		return -2;
+	} else {
+                struct audit_reply rep;
+                int i;
+                int timeout = 40; /* tenths of seconds */
+                struct pollfd pfd[1];
+                int fd = audit_open();
+		struct audit_capcontid_status cs;
+                int rc;
+
+		if (fd < 0) {
+                        audit_msg(audit_priority(errno), "Error openning get capcontid req (%s)", strerror(-rc));
+			return -2;
+		}
+		cs.pid = pid;
+                rc = audit_send(fd, AUDIT_GET_CONTID, &cs, sizeof(cs));
+                if (rc < 0 && rc != -EINVAL) {
+			audit_close(fd);
+                        audit_msg(audit_priority(errno), "Error sending set capcontid req (%s)", strerror(-rc));
+                        return -2;
+                }
+                pfd[0].fd = fd;
+                pfd[0].events = POLLIN;
+
+                for (i = 0; i < timeout; i++) {
+                        do {
+                                rc = poll(pfd, 1, 100);
+                        } while (rc < 0 && errno == EINTR);
+                        rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0); 
+                        if (rc > 0) {
+                                /* If we get done or error, break out */
+                                if (rep.type == NLMSG_DONE ||
+                                        rep.type == NLMSG_ERROR)
+                                        break;
+
+                                /* If its not get_contid, keep looping */
+                                if (rep.type != AUDIT_GET_CAPCONTID)
+                                        continue;
+
+                                /* Found it... */
+				audit_close(fd);
+				if (rep.capcontid->pid == pid)
+                                	return rep.capcontid->cap;
+				else
+					return -2;
+			}
+		}
+		audit_close(fd);
+		return -2;
+	}
+}
+
+/*
+ * This function returns 0 on success and 1 on failure
+ */
+int audit_set_capcontid(pid_t pid, uint32_t capcontid)
+{
+        if ((audit_get_features() & AUDIT_FEATURE_BITMAP_CONTAINERID) == 0) {
+		return -2;
+	} else {
+		int rc;
+		int seq;
+                int fd = audit_open();
+		struct audit_capcontid_status cs = { pid, capcontid };
+
+		if (fd < 0) {
+                        audit_msg(audit_priority(errno), "Error openning set capcontid req (%s)", strerror(-rc));
+			return 1;
+		}
+		rc = audit_send(fd, AUDIT_SET_CAPCONTID, &cs, sizeof(cs));
+		if (rc < 0) {
+			audit_msg(audit_priority(errno), "Error sending set capcontid request (%s)", strerror(-rc));
+			return 1;
+		}
+		return 0;
+	}
+}
+
+/*
  * This function will retrieve the audit container identifier or -2 if
  * there is an error.
  */
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 717724e8fbbb..8067ef30f427 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -275,6 +275,14 @@ extern "C" {
 #define AUDIT_GET_SESSIONID	1026    /* get current process sessionid */
 #endif
 
+#ifndef AUDIT_GET_CAPCONTID
+#define AUDIT_GET_CAPCONTID	1027    /* get contid of specified pid */
+#endif
+
+#ifndef AUDIT_SET_CAPCONTID
+#define AUDIT_SET_CAPCONTID	1028    /* set contid of specified pid */
+#endif
+
 #ifndef AUDIT_MMAP
 #define AUDIT_MMAP		1323 /* Descriptor and flags in mmap */
 #endif
@@ -532,6 +540,11 @@ struct audit_message {
 // internal - forward declaration
 struct daemon_conf;
 
+struct audit_capcontid_status {
+	pid_t		pid;
+	uint32_t	cap;
+};
+
 struct audit_cont_status {
 	pid_t		pid;
 	uint64_t	id;
@@ -559,6 +572,7 @@ struct audit_reply {
 #endif
 #ifdef AUDIT_FEATURE_BITMAP_CONTAINERID
 	struct audit_cont_status	*cont;
+	struct audit_capcontid_status	*capcontid;
 #endif
 	};
 };
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index 9f2b137dc7f8..f510e9790ea4 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -50,6 +50,8 @@ _S(AUDIT_LOGIN,                      "LOGIN"                         )
 //_S(AUDIT_GET_LOGINUID,               "GET_LOGINUID"                  )
 //_S(AUDIT_SET_LOGINUID,               "SET_LOGINUID"                  )
 //_S(AUDIT_GET_SESSIONID,              "GET_SESSIONID"                 )
+//_S(AUDIT_GET_CAPCONTID,              "GET_CAPCONTID"                 )
+_S(AUDIT_SET_CAPCONTID,              "SET_CAPCONTID"                 )
 _S(AUDIT_CONTAINER_OP,               "CONTAINER_OP"                  )
 _S(AUDIT_USER_AUTH,                  "USER_AUTH"                     )
 _S(AUDIT_USER_ACCT,                  "USER_ACCT"                     )
diff --git a/lib/netlink.c b/lib/netlink.c
index d177b865a79e..d378b32e0ff6 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -154,6 +154,7 @@ static int adjust_reply(struct audit_reply *rep, int len)
 #endif
 #ifdef AUDIT_FEATURE_BITMAP_CONTAINERID
 	rep->cont     = NULL;
+	rep->capcontid = NULL;
 #endif
 	if (!NLMSG_OK(rep->nlh, (unsigned int)len)) {
 		if (len == sizeof(rep->msg)) {
@@ -201,6 +202,9 @@ static int adjust_reply(struct audit_reply *rep, int len)
 		case AUDIT_SIGNAL_INFO2:
 			rep->signal_info2 = NLMSG_DATA(rep->nlh);
 			break;
+		case AUDIT_GET_CAPCONTID:
+			rep->capcontid = NLMSG_DATA(rep->nlh);
+			break;
 		case AUDIT_GET_CONTID:
 			rep->cont = NLMSG_DATA(rep->nlh);
 			break;
-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ