[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20180530173328.v6e3tm2agze5kdcb@madcap2.tricolour.ca>
Date: Wed, 30 May 2018 13:33:28 -0400
From: Richard Guy Briggs <rgb@...hat.com>
To: Steve Grubb <sgrubb@...hat.com>
Cc: linux-audit@...hat.com, cgroups@...r.kernel.org,
containers@...ts.linux-foundation.org, linux-api@...r.kernel.org,
linux-fsdevel@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
netdev@...r.kernel.org, ebiederm@...ssion.com, luto@...nel.org,
jlayton@...hat.com, carlos@...hat.com, dhowells@...hat.com,
viro@...iv.linux.org.uk, simo@...hat.com, eparis@...isplace.org,
serge@...lyn.com
Subject: Re: [RFC PATCH ghak32 V2 00/13] audit: implement container id
On 2018-05-30 09:20, Steve Grubb wrote:
> On Friday, March 16, 2018 5:00:27 AM EDT Richard Guy Briggs wrote:
> > Implement audit kernel container ID.
> >
> > This patchset is a second RFC based on the proposal document (V3)
> > posted:
> > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html
>
> So, if you work on a container orchestrator, how exactly is this set of
> interfaces to be used and in what order?
It was designed keeping in mind the Virtuallization Manager Guest
Lifecycle Events document.
https://github.com/linux-audit/audit-documentation/wiki/SPEC-Virtualization-Manager-Guest-Lifecycle-Events
The orchestrator would start setting things up and when it knows the PID
of the conainer task but before that task has had a chance to thread or
spawn children it registers the audit container ID via the /proc
interface. After that, it consults audit for any events maching that
ID.
> Thanks,
> -Steve
>
> > The first patch implements the proc fs write to set the audit container
> > ID of a process, emitting an AUDIT_CONTAINER record to announce the
> > registration of that container ID on that process. This patch requires
> > userspace support for record acceptance and proper type display.
> >
> > The second checks for children or co-threads and refuses to set the
> > container ID if either are present. (This policy could be changed to
> > set both with the same container ID provided they meet the rest of the
> > requirements.)
> >
> > The third implements the auxiliary record AUDIT_CONTAINER_INFO if a
> > container ID is identifiable with an event. This patch requires
> > userspace support for proper type display.
> >
> > The fourth adds container ID filtering to the exit, exclude and user
> > lists. This patch requires auditctil userspace support for the
> > --containerid option.
> >
> > The 5th adds signal and ptrace support.
> >
> > The 6th creates a local audit context to be able to bind a standalone
> > record with a locally created auxiliary record.
> >
> > The 7th, 8th, 9th, 10th patches add container ID records to standalone
> > records. Some of these may end up being syscall auxiliary records and
> > won't need this specific support since they'll be supported via
> > syscalls.
> >
> > The 11th adds network namespace container ID labelling based on member
> > tasks' container ID labels.
> >
> > The 12th adds container ID support to standalone netfilter records that
> > don't have a task context and lists each container to which that net
> > namespace belongs.
> >
> > The 13th implements reading the container ID from the proc filesystem
> > for debugging. This patch isn't planned for upstream inclusion.
> >
> > Feedback please!
> >
> > Example: Set a container ID of 123456 to the "sleep" task:
> > sleep 2&
> > child=$!
> > echo 123456 > /proc/$child/containerid; echo $?
> > ausearch -ts recent -m container
> > echo child:$child contid:$( cat /proc/$child/containerid)
> > This should produce a record such as:
> > type=CONTAINER msg=audit(1521122590.315:222): op=set pid=689 uid=0
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 auid=0 tty=pts0
> > ses=3 opid=707 old-contid=18446744073709551615 contid=123456 res=1
> >
> > Example: Set a filter on a container ID 123459 on /tmp/tmpcontainerid:
> > containerid=123459
> > key=tmpcontainerid
> > auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid
> > -F key=$key perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\");
> > close(\$tmpfile);" & child=$!
> > echo $containerid > /proc/$child/containerid
> > sleep 2
> > ausearch -i -ts recent -k $key
> > auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid
> > -F key=$key rm -f /tmp/$key
> > This should produce an event such as:
> > type=CONTAINER_INFO msg=audit(1521122591.614:227): op=task contid=123459
> > type=PROCTITLE msg=audit(1521122591.614:227):
> > proctitle=7065726C002D6500736C65657020313B206F70656E286D792024746D7066696C
> > 652C20273E272C20222F746D702F746D70636F6E7461696E6572696422293B20636C6F73652
> > 824746D7066696C65293B type=PATH msg=audit(1521122591.614:227): item=1
> > name="/tmp/tmpcontainerid" inode=18427 dev=00:26 mode=0100644 ouid=0
> > ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
> > cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> > type=PATH msg=audit(1521122591.614:227): item=0 name="/tmp/" inode=13513
> > dev=00:26 mode=041777 ouid=0 ogid=0 rdev=00:00
> > obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=0000000000000000
> > cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD
> > msg=audit(1521122591.614:227): cwd="/root"
> > type=SYSCALL msg=audit(1521122591.614:227): arch=c000003e syscall=257
> > success=yes exit=3 a0=ffffffffffffff9c a1=55db90a28900 a2=241 a3=1b6
> > items=2 ppid=689 pid=724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=pts0 ses=3 comm="perl" exe="/usr/bin/perl"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key="tmpcontainerid"
> >
> > See:
> > https://github.com/linux-audit/audit-kernel/issues/32
> > https://github.com/linux-audit/audit-userspace/issues/40
> > https://github.com/linux-audit/audit-testsuite/issues/64
> >
> > Richard Guy Briggs (13):
> > audit: add container id
> > audit: check children and threading before allowing containerid
> > audit: log container info of syscalls
> > audit: add containerid filtering
> > audit: add containerid support for ptrace and signals
> > audit: add support for non-syscall auxiliary records
> > audit: add container aux record to watch/tree/mark
> > audit: add containerid support for tty_audit
> > audit: add containerid support for config/feature/user records
> > audit: add containerid support for seccomp and anom_abend records
> > audit: add support for containerid to network namespaces
> > audit: NETFILTER_PKT: record each container ID associated with a netNS
> > debug audit: read container ID of a process
> >
> > drivers/tty/tty_audit.c | 5 +-
> > fs/proc/base.c | 53 ++++++++++++++++
> > include/linux/audit.h | 43 +++++++++++++
> > include/linux/init_task.h | 4 +-
> > include/linux/sched.h | 1 +
> > include/net/net_namespace.h | 12 ++++
> > include/uapi/linux/audit.h | 8 ++-
> > kernel/audit.c | 75 ++++++++++++++++++++---
> > kernel/audit.h | 3 +
> > kernel/audit_fsnotify.c | 5 +-
> > kernel/audit_tree.c | 5 +-
> > kernel/audit_watch.c | 33 +++++-----
> > kernel/auditfilter.c | 52 +++++++++++++++-
> > kernel/auditsc.c | 145
> > ++++++++++++++++++++++++++++++++++++++++++-- kernel/nsproxy.c |
> > 6 ++
> > net/core/net_namespace.c | 45 ++++++++++++++
> > net/netfilter/xt_AUDIT.c | 15 ++++-
> > 17 files changed, 473 insertions(+), 37 deletions(-)
>
>
>
>
- RGB
--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Powered by blists - more mailing lists