| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 Mar 2018 22:31:28 -0500
From: Richard Guy Briggs <rgb@...hat.com>
To: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc: cgroups@...r.kernel.org, containers@...ts.linux-foundation.org,
linux-api@...r.kernel.org,
Linux-Audit Mailing List <linux-audit@...hat.com>,
linux-fsdevel@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
netdev@...r.kernel.org, mszeredi@...hat.com, ebiederm@...ssion.com,
simo@...hat.com, jlayton@...hat.com, carlos@...hat.com,
dhowells@...hat.com, viro@...iv.linux.org.uk, luto@...nel.org,
eparis@...isplace.org, trondmy@...marydata.com, serge@...lyn.com
Subject: Re: [RFC PATCH V1 00/12] audit: implement container id
On 2018-03-04 16:55, Mimi Zohar wrote:
> On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote:
> > Implement audit kernel container ID.
> >
> > This patchset is a preliminary RFC based on the proposal document (V3)
> > posted:
> > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
> >
> > The first patch implements the proc fs write to set the audit container
> > ID of a process, emitting an AUDIT_CONTAINER record.
> >
> > The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO
> > if a container ID is present on a task.
> >
> > The third adds filtering to the exit, exclude and user lists.
> >
> > The 4th, implements reading the container ID from the proc filesystem
> > for debugging. This isn't planned for upstream inclusion.
> >
> > The 5th adds signal and ptrace support.
> >
> > The 6th attempts to create a local audit context to be able to bind a
> > standalone record with the container ID record.
> >
> > The 7th, 8th, 9th, 10th patches add container ID records to standalone
> > records. Some of these may end up being syscall auxiliary records and
> > won't need this specific support since they'll be supported via
> > syscalls.
> >
> > The 11th is a temporary workaround due to the AUDIT_CONTAINER records
> > not showing up as do AUDIT_LOGIN records. I suspect this is due to its
> > range (1000 vs 1300), but the intent is to solve it.
> >
> > The 12th adds debug information not intended for upstream for those
> > brave souls wanting to tinker with it in this early state.
> >
> > Feedback please!
>
> Which tree can this patch set be applied to?
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
> Mimi
>
> > Here's a quick and dirty test script:
> > echo 123455 > /proc/$$/containerid; echo $?
> > sleep 4&
> > child=$!; sleep 1
> > echo 18446744073709551615 > /proc/$child/containerid; echo $?
> > echo 123456 > /proc/$child/containerid; echo $?
> > echo 123457 > /proc/$child/containerid; echo $?
> > sleep 1
> > ausearch -ts recent |grep " contid=18446744073709551615"; echo $?
> > ausearch -ts recent |grep " contid=123456"; echo $?
> > ausearch -ts recent |grep " contid=123457"; echo $?
> > echo self:$$ contid:$( cat /proc/$$/containerid)
> > echo child:$child contid:$( cat /proc/$child/containerid)
> >
> > containerid=123458
> > key=tmpcontainerid
> > auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule
> > bash -c "sleep 1; echo test > /tmp/$key"&
> > child=$!
> > echo $containerid > /proc/$child/containerid
> > sleep 2
> > rm -f /tmp/$key
> > ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record
> > auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F key=$key || echo failed to add containerid filter rule
> >
> > See:
> > https://github.com/linux-audit/audit-kernel/issues/32
> > https://github.com/linux-audit/audit-userspace/issues/40
> > https://github.com/linux-audit/audit-testsuite/issues/64
> >
> > Richard Guy Briggs (12):
> > audit: add container id
> > audit: log container info of syscalls
> > audit: add containerid filtering
> > audit: read container ID of a process
> > audit: add containerid support for ptrace and signals
> > audit: add support for non-syscall auxiliary records
> > audit: add container aux record to watch/tree/mark
> > audit: add containerid support for tty_audit
> > audit: add containerid support for config/feature/user records
> > audit: add containerid support for seccomp and anom_abend records
> > debug audit: add container id
> > debug! audit: add container id
> >
> > drivers/tty/tty_audit.c | 5 +-
> > fs/proc/base.c | 63 +++++++++++++++++++
> > include/linux/audit.h | 36 +++++++++++
> > include/linux/init_task.h | 4 +-
> > include/linux/sched.h | 1 +
> > include/uapi/linux/audit.h | 9 ++-
> > kernel/audit.c | 74 +++++++++++++++++++---
> > kernel/audit.h | 3 +
> > kernel/audit_fsnotify.c | 5 +-
> > kernel/audit_tree.c | 5 +-
> > kernel/audit_watch.c | 33 +++++-----
> > kernel/auditfilter.c | 52 ++++++++++++++-
> > kernel/auditsc.c | 154 +++++++++++++++++++++++++++++++++++++++++++--
> > 13 files changed, 408 insertions(+), 36 deletions(-)
> >
>
- RGB
--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Powered by blists - more mailing lists