lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190919180926.vhpuxv3vzuwjffop@madcap2.tricolour.ca>
Date:   Thu, 19 Sep 2019 14:09:26 -0400
From:   Richard Guy Briggs <rgb@...hat.com>
To:     containers@...ts.linux-foundation.org,
        Linux-Audit Mailing List <linux-audit@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     nhorman@...hat.com, eparis@...isplace.org, mpatel@...hat.com,
        dwalsh@...hat.com
Subject: Re: [PATCH ghau51/ghau40 v7 00/12] add support for audit container
 identifier

On 2019-09-18 21:27, Richard Guy Briggs wrote:
> Add support for audit kernel container identifiers to userspace tools.
> 
> The first and second add new record types.  The third adds filter
> support.  The fourth and 5th start to add search support.
> 
> The 6th is to read the calling process' audit container identifier from
> the /proc filesystem matching the kernel /proc read patch.
> 
> The 7th is to fix signal support and the 8th is to learn the audit
> container identifier of the process that signals the audit daemon.
> 
> The 9th is a touch up to allow the contid field to be interpreted as a
> CSV list.
> 
> The 10th and 11th add audit netlink support for setting and getting
> contid, loginuid and sessionid preparing to deprecate the /proc
> interface.
> 
> The last adds audit library support to allow a process to give
> permission to a container orchestrator in a non-init user namespace via
> audit netlink messages.
> 
> See: https://github.com/linux-audit/audit-userspace/issues/51
> See: https://github.com/linux-audit/audit-userspace/issues/40
> See: https://github.com/linux-audit/audit-kernel/issues/90
> See: https://github.com/linux-audit/audit-kernel/issues/91
> See: https://github.com/linux-audit/audit-testsuite/issues/64
> See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Here's my working tree:
        https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghau40-containerid-filter.v7.0
And a test rpms:
        http://people.redhat.com/~rbriggs/ghak90/git-247fe71

> Changelog:
> v7
> - rebase on ghau90 and touchup
> - rebase on ghak10 support (change AUDIT_CONTAINER_ID to 1334)
> - render type contid as a CSV
> - switch from /proc to audit netlink to set/get contid, auid/sessionid
> - add support for capcontid
> 
> v6
> - auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2
>   request and record
> - swap CONTAINER_OP contid/old-contid to ease parsing
> - add to auparse
> 
> v5
> - updated aux record from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
> - add AUDIT_CONTAINER_ID to normalization
> - rebase on AUDIT_ANOM_LINK and AUDIT_MAC_CALIPSO_ADD
> 
> v4
> - change from AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP
> - change from AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER to
>   AUDIT_FEATURE_BITMAP_CONTAINERID
> - change from event_container_id to event_contid internally
> - change from container_id to contid and event_container_id to
>   event_contid internally
> - change command line option from --container-id to --contid
> 
> v3
> - change from AUDIT_CONTAINER to AUDIT_CONTAINER_ID
> - change from AUDIT_CONTAINER_INFO to AUDIT_CONTAINER
> - change from AUDIT_CONTAINERID to AUDIT_CONTID
> - update github issue refs
> - add audit_get_containerid
> - change event_container_id default value
> - add --containerid to ausearch options help text
> - update ausearch parser and error codes
> 
> v2
> - rebase on UINT_MAX patch
> - add patches for AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch,
>   normalization
> 
> Richard Guy Briggs (12):
>   AUDIT_CONTAINER_OP message type basic support
>   AUDIT_CONTAINER_ID message type basic support
>   auditctl: add support for AUDIT_CONTID filter
>   add ausearch containerid support
>   start normalization containerid support
>   libaudit: add support to get the task audit container identifier
>   signal_info: only print context if it is available.
>   add support for audit_signal_info2
>   contid: interpret correctly CONTAINER_ID contid field csv
>   contid: switch from /proc to netlink
>   loginuid/sessionid: switch from /proc to netlink
>   libaudit: add support to get and set capcontid on a task
> 
>  auparse/auditd-config.c          |   1 +
>  auparse/auparse-defs.h           |   3 +-
>  auparse/interpret.c              |  10 +
>  auparse/normalize_record_map.h   |   2 +
>  auparse/typetab.h                |   2 +
>  bindings/python/auparse_python.c |   1 +
>  docs/Makefile.am                 |   3 +-
>  docs/audit_get_containerid.3     |  25 +++
>  docs/audit_request_signal_info.3 |   1 +
>  docs/audit_set_containerid.3     |  24 +++
>  docs/auditctl.8                  |   3 +
>  lib/fieldtab.h                   |   1 +
>  lib/libaudit.c                   | 425 ++++++++++++++++++++++++++++++++-------
>  lib/libaudit.h                   |  73 +++++++
>  lib/msg_typetab.h                |  10 +
>  lib/netlink.c                    |  15 ++
>  src/auditctl-listing.c           |  21 ++
>  src/auditd-config.c              |   1 +
>  src/auditd-config.h              |   1 +
>  src/auditd-event.c               |  28 ++-
>  src/auditd-reconfig.c            |  25 ++-
>  src/auditd.c                     |   3 +-
>  src/aureport-options.c           |   1 +
>  src/ausearch-llist.c             |   2 +
>  src/ausearch-llist.h             |   1 +
>  src/ausearch-match.c             |   3 +
>  src/ausearch-options.c           |  47 ++++-
>  src/ausearch-options.h           |   1 +
>  src/ausearch-parse.c             | 197 ++++++++++++++++++
>  src/ausearch-report.c            |   6 +-
>  30 files changed, 848 insertions(+), 88 deletions(-)
>  create mode 100644 docs/audit_get_containerid.3
>  create mode 100644 docs/audit_set_containerid.3
> 
> -- 
> 1.8.3.1
> 
> --
> Linux-audit mailing list
> Linux-audit@...hat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ