Somehow I managed to lose this patch, but a couple of comments. Didn't Aris do this back at least as far back as March. Might want to ask for his work.
audit_log_context() logs the LSM portion of a process. I don't believe this should be added to that function. What happens if namespaces are compiled out? There's got to be more.... On Sat, 2013-12-21 at 04:01 -0500, William Roberts wrote: > I'm doing work now involving namespaces....the necessity is real. > I'll take a look early next week. > > On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" <[email protected]> wrote: > Log the namespace details of a task. > --- > > Does anyone have comments on this patch? > > I'm looking for guidance on which types of messages should > have namespace > information included. I've included too many, I suspect. > > I also wonder if displaying these inode numbers in hexadecimal > makes more sense > than decimal, since they are all based around 0xF0000000. > These are all with > reference to the proc filesystem, so a device number should > not be necessary to > qualify them. > > > include/linux/audit.h | 1 + > kernel/audit.c | 29 +++++++++++++++++++++++++++++ > kernel/audit_watch.c | 1 + > kernel/auditfilter.c | 1 + > kernel/auditsc.c | 5 +++++ > 5 files changed, 37 insertions(+), 0 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 6976219..75fa602 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch); > struct filename; > > extern void audit_log_session_info(struct audit_buffer *ab); > +extern void audit_log_namespace_info(struct audit_buffer *ab, > struct task_struct *tsk); > > #ifdef CONFIG_AUDITSYSCALL > /* These are defined in auditsc.c */ > diff --git a/kernel/audit.c b/kernel/audit.c > index dc03a30..b4c39a9 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -62,7 +62,15 @@ > #endif > #include <linux/freezer.h> > #include <linux/tty.h> > +#include <linux/nsproxy.h> > +#include <linux/utsname.h> > +#include <linux/ipc_namespace.h> > +#include "../fs/mount.h" > +#include <linux/mount.h> > +#include <linux/mnt_namespace.h> > #include <linux/pid_namespace.h> > +#include <net/net_namespace.h> > +#include <linux/user_namespace.h> > #include <net/netns/generic.h> > > #include "audit.h" > @@ -292,6 +300,7 @@ static int audit_log_config_change(char > *function_name, int new, int old, > return rc; > audit_log_format(ab, "%s=%d old=%d", function_name, > new, old); > audit_log_session_info(ab); > + audit_log_namespace_info(ab, current); > rc = audit_log_task_context(ab); > if (rc) > allow_changes = 0; /* Something weird, deny > request */ > @@ -657,6 +666,7 @@ static int > audit_log_common_recv_msg(struct audit_buffer **ab, u16 > msg_type) > return rc; > audit_log_format(*ab, "pid=%d uid=%u", > task_tgid_vnr(current), uid); > audit_log_session_info(*ab); > + audit_log_namespace_info(*ab, current); > audit_log_task_context(*ab); > > return rc; > @@ -689,6 +699,7 @@ static void audit_log_feature_change(int > which, u32 old_feature, u32 new_feature > return; > > ab = audit_log_start(NULL, GFP_KERNEL, > AUDIT_FEATURE_CHANGE); > + audit_log_namespace_info(ab, current); > audit_log_format(ab, "feature=%s old=%d new=%d > old_lock=%d new_lock=%d res=%d", > audit_feature_names[which], !! > old_feature, !!new_feature, > !!old_lock, !!new_lock, res); > @@ -1621,6 +1632,23 @@ void audit_log_session_info(struct > audit_buffer *ab) > audit_log_format(ab, " auid=%u ses=%u", auid, > sessionid); > } > > +void audit_log_namespace_info(struct audit_buffer *ab, struct > task_struct *tsk) > +{ > + struct nsproxy *nsproxy; > + > + rcu_read_lock(); > + audit_log_format(ab, " pidns=%x", > task_active_pid_ns(tsk)->proc_inum); > + nsproxy = task_nsproxy(tsk); > + if (nsproxy != NULL) { > + audit_log_format(ab, " usrns=%x", > nsproxy->net_ns->user_ns->proc_inum); > + audit_log_format(ab, " utsns=%x", > nsproxy->uts_ns->proc_inum); > + audit_log_format(ab, " ipcns=%x", > nsproxy->ipc_ns->proc_inum); > + audit_log_format(ab, " mntns=%x", > nsproxy->mnt_ns->proc_inum); > + audit_log_format(ab, " netns=%x", > nsproxy->net_ns->proc_inum); > + } > + rcu_read_unlock(); > +} > + > void audit_log_key(struct audit_buffer *ab, char *key) > { > audit_log_format(ab, " key="); > @@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char > *operation, struct path *link) > goto out; > audit_log_format(ab, "op=%s", operation); > audit_log_task_info(ab, current); > + audit_log_namespace_info(ab, current); > audit_log_format(ab, " res=0"); > audit_log_end(ab); > > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c > index 22831c4..2382a3e 100644 > --- a/kernel/audit_watch.c > +++ b/kernel/audit_watch.c > @@ -245,6 +245,7 @@ static void > audit_watch_log_rule_change(struct audit_krule *r, struct > audit_watc > audit_log_format(ab, "auid=%u ses=%u op=", > from_kuid(&init_user_ns, > audit_get_loginuid(current)), > > audit_get_sessionid(current)); > + audit_log_namespace_info(ab, current); > audit_log_string(ab, op); > audit_log_format(ab, " path="); > audit_log_untrustedstring(ab, w->path); > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index 14a78cc..9c4b004 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char > *action, struct audit_krule *rule, int re > if (!ab) > return; > audit_log_format(ab, "auid=%u ses=%u" ,loginuid, > sessionid); > + audit_log_namespace_info(ab, current); > audit_log_task_context(ab); > audit_log_format(ab, " op="); > audit_log_string(ab, action); > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 10176cd..3c73a3b 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -974,6 +974,7 @@ static int audit_log_pid_context(struct > audit_context *context, pid_t pid, > audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=% > d", pid, > from_kuid(&init_user_ns, auid), > from_kuid(&init_user_ns, uid), > sessionid); > + audit_log_namespace_info(ab, current); > if (sid) { > if (security_secid_to_secctx(sid, &ctx, &len)) > { > audit_log_format(ab, " obj=(none)"); > @@ -1302,6 +1303,7 @@ static void audit_log_exit(struct > audit_context *context, struct task_struct *ts > context->name_count); > > audit_log_task_info(ab, tsk); > + audit_log_namespace_info(ab, current); > audit_log_key(ab, context->filterkey); > audit_log_end(ab); > > @@ -1987,6 +1989,7 @@ static void > audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, > current->pid, uid, > oldloginuid, loginuid, oldsessionid, > sessionid, > !rc); > + audit_log_namespace_info(ab, current); > audit_log_end(ab); > } > > @@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr) > if (unlikely(!ab)) > return; > audit_log_task(ab); > + audit_log_namespace_info(ab, current); > audit_log_format(ab, " sig=%ld", signr); > audit_log_end(ab); > } > @@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long > syscall, long signr, int code) > if (unlikely(!ab)) > return; > audit_log_task(ab); > + audit_log_namespace_info(ab, current); > audit_log_format(ab, " sig=%ld", signr); > audit_log_format(ab, " syscall=%ld", syscall); > audit_log_format(ab, " compat=%d", is_compat_task()); > -- > 1.7.1 > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
