[PATCH V3 3/6] namespaces: expose ns instance serial numbers in proc
Expose the namespace instace serial numbers in the proc filesystem at /proc/pid/ns/ns_snum. The link text gives the serial number in hex. snum was chosen instead of seq for consistency with inum and there are a number of other uses of seq in the namespace code. Suggested-by: Serge E. Hallyn se...@hallyn.com Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/proc/namespaces.c | 33 + 1 files changed, 25 insertions(+), 8 deletions(-) diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c index 9ae46b8..57fce90 100644 --- a/fs/proc/namespaces.c +++ b/fs/proc/namespaces.c @@ -47,12 +47,15 @@ static char *ns_dname(struct dentry *dentry, char *buffer, int buflen) struct inode *inode = dentry-d_inode; const struct proc_ns_operations *ns_ops = PROC_I(inode)-ns.ns_ops; - return dynamic_dname(dentry, buffer, buflen, %s:[%lu], - ns_ops-name, inode-i_ino); + if (strstr(dentry-d_iname, _snum)) + return dynamic_dname(dentry, buffer, buflen, %s_snum:[%llx], + ns_ops-name, ns_ops-snum(PROC_I(inode)-ns.ns)); + else + return dynamic_dname(dentry, buffer, buflen, %s:[%lu], + ns_ops-name, inode-i_ino); } -const struct dentry_operations ns_dentry_operations = -{ +const struct dentry_operations ns_dentry_operations = { .d_delete = always_delete_dentry, .d_dname= ns_dname, }; @@ -160,7 +163,10 @@ static int proc_ns_readlink(struct dentry *dentry, char __user *buffer, int bufl if (!ns) goto out_put_task; - snprintf(name, sizeof(name), %s:[%u], ns_ops-name, ns_ops-inum(ns)); + if (strstr(dentry-d_iname, _snum)) + snprintf(name, sizeof(name), %s_snum:[%llx], ns_ops-name, ns_ops-snum(ns)); + else + snprintf(name, sizeof(name), %s:[%u], ns_ops-name, ns_ops-inum(ns)); len = strlen(name); if (len buflen) @@ -216,16 +222,23 @@ static int proc_ns_dir_readdir(struct file *file, struct dir_context *ctx) if (!dir_emit_dots(file, ctx)) goto out; - if (ctx-pos = 2 + ARRAY_SIZE(ns_entries)) + if (ctx-pos = 2 + 2 * ARRAY_SIZE(ns_entries)) goto out; entry = ns_entries + (ctx-pos - 2); last = ns_entries[ARRAY_SIZE(ns_entries) - 1]; while (entry = last) { const struct proc_ns_operations *ops = *entry; + char name[50]; + if (!proc_fill_cache(file, ctx, ops-name, strlen(ops-name), proc_ns_instantiate, task, ops)) break; ctx-pos++; + snprintf(name, sizeof(name), %s_snum, ops-name); + if (!proc_fill_cache(file, ctx, name, strlen(name), +proc_ns_instantiate, task, ops)) + break; + ctx-pos++; entry++; } out: @@ -253,9 +266,13 @@ static struct dentry *proc_ns_dir_lookup(struct inode *dir, last = ns_entries[ARRAY_SIZE(ns_entries)]; for (entry = ns_entries; entry last; entry++) { - if (strlen((*entry)-name) != len) + char name[50]; + + snprintf(name, sizeof(name), %s_snum, (*entry)-name); + if (strlen((*entry)-name) != len strlen(name) != len) continue; - if (!memcmp(dentry-d_name.name, (*entry)-name, len)) + if (!memcmp(dentry-d_name.name, (*entry)-name, len) + || !memcmp(dentry-d_name.name, name, len)) break; } if (entry == last) -- 1.7.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH V3 6/6] audit: log creation and deletion of namespace instances
Log the creation and deletion of namespace instances in all 6 types of namespaces. Two new audit message types have been introduced: AUDIT_NS_INIT 1329 AUDIT_NS_DEL1330 The output format should look roughly: type=NS_INIT msg=audit(1400217435.706:94): pid=524 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2 old_snum=0 snum=a res=1 type=NS_DEL msg=audit(1400217435.730:95): pid=524 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2 snum=a res=1 If non-zero, old_snum lists the namespace from which it was cloned. The types are CLONE_NEW* listed in include/uapi/linux/sched.h. Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/namespace.c |4 include/linux/audit.h |8 include/uapi/linux/audit.h |2 ++ ipc/namespace.c| 10 ++ kernel/audit.c | 32 kernel/pid_namespace.c | 10 ++ kernel/user_namespace.c|9 + kernel/utsname.c | 10 ++ net/core/net_namespace.c |5 + 9 files changed, 90 insertions(+), 0 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index 74348c4..f33efb3 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -24,6 +24,7 @@ #include linux/proc_ns.h #include linux/magic.h #include linux/bootmem.h +#include linux/audit.h #include pnode.h #include internal.h @@ -2445,6 +2446,7 @@ dput_out: static void free_mnt_ns(struct mnt_namespace *ns) { + audit_log_ns_del(CLONE_NEWNS, ns-serial_num); proc_free_inum(ns-proc_inum); put_user_ns(ns-user_ns); kfree(ns); @@ -2505,6 +2507,7 @@ struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns, new_ns = alloc_mnt_ns(user_ns); if (IS_ERR(new_ns)) return new_ns; + audit_log_ns_init(CLONE_NEWNS, ns-serial_num, new_ns-serial_num); namespace_lock(); /* First pass: copy the tree topology */ @@ -2568,6 +2571,7 @@ static struct mnt_namespace *create_mnt_ns(struct vfsmount *m) mnt-mnt_ns = new_ns; new_ns-root = mnt; list_add(mnt-mnt_list, new_ns-list); + audit_log_ns_init(CLONE_NEWNS, 0, new_ns-serial_num); } else { mntput(m); } diff --git a/include/linux/audit.h b/include/linux/audit.h index 0ef404a..3ba8216 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -466,6 +466,9 @@ extern void audit_log_key(struct audit_buffer *ab, char *key); extern voidaudit_log_link_denied(const char *operation, struct path *link); +extern int audit_log_ns_init(int type, long long old_snum, + long long snum); +extern int audit_log_ns_del(int type, long long snum); extern voidaudit_log_lost(const char *message); #ifdef CONFIG_SECURITY extern voidaudit_log_secctx(struct audit_buffer *ab, u32 secid); @@ -524,6 +527,11 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key) static inline void audit_log_link_denied(const char *string, const struct path *link) { } +static inline int audit_log_ns_init(int type, long long old_snum, + long long snum) +{ } +static inline int audit_log_ns_del(int type, long long snum) +{ } static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid) { } static inline int audit_log_task_context(struct audit_buffer *ab) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 573dc36..ac177fd 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -110,6 +110,8 @@ #define AUDIT_SECCOMP 1326/* Secure Computing event */ #define AUDIT_PROCTITLE1327/* Proctitle emit event */ #define AUDIT_FEATURE_CHANGE 1328/* audit log listing feature changes */ +#define AUDIT_NS_INIT 1329/* Record namespace instance creation */ +#define AUDIT_NS_DEL 1330/* Record namespace instance deletion */ #define AUDIT_AVC 1400/* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401/* Internal SE Linux Errors */ diff --git a/ipc/namespace.c b/ipc/namespace.c index 36ce7ff..5b2b897 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c @@ -13,6 +13,7 @@ #include linux/mount.h #include linux/user_namespace.h #include linux/proc_ns.h +#include linux/audit.h #include util.h @@ -42,6 +43,7 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns, atomic_inc(nr_ipc_ns); ns-serial_num = ns_serial(); + audit_log_ns_init(CLONE_NEWIPC, old_ns-serial_num, ns-serial_num);
[PATCH V3 2/6] namespaces: expose namespace instance serial number in proc_ns_operations
Expose the namespace instance serial number for each namespace type in the proc namespace operations structure to make it available for the proc filesystem. Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/namespace.c |7 +++ include/linux/proc_ns.h |1 + ipc/namespace.c |8 kernel/pid_namespace.c |7 +++ kernel/user_namespace.c |7 +++ kernel/utsname.c |8 net/core/net_namespace.c |7 +++ 7 files changed, 45 insertions(+), 0 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index b4a31aa..74348c4 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3014,6 +3014,12 @@ static unsigned int mntns_inum(void *ns) return mnt_ns-proc_inum; } +static long long mntns_snum(void *ns) +{ + struct mnt_namespace *mnt_ns = ns; + return mnt_ns-serial_num; +} + const struct proc_ns_operations mntns_operations = { .name = mnt, .type = CLONE_NEWNS, @@ -3021,4 +3027,5 @@ const struct proc_ns_operations mntns_operations = { .put= mntns_put, .install= mntns_install, .inum = mntns_inum, + .snum = mntns_snum, }; diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h index 34a1e10..aaafe3e 100644 --- a/include/linux/proc_ns.h +++ b/include/linux/proc_ns.h @@ -14,6 +14,7 @@ struct proc_ns_operations { void (*put)(void *ns); int (*install)(struct nsproxy *nsproxy, void *ns); unsigned int (*inum)(void *ns); + long long (*snum)(void *ns); }; struct proc_ns { diff --git a/ipc/namespace.c b/ipc/namespace.c index 76dac5c..36ce7ff 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c @@ -191,6 +191,13 @@ static unsigned int ipcns_inum(void *vp) return ns-proc_inum; } +static long long ipcns_snum(void *vp) +{ + struct ipc_namespace *ns = vp; + + return ns-serial_num; +} + const struct proc_ns_operations ipcns_operations = { .name = ipc, .type = CLONE_NEWIPC, @@ -198,4 +205,5 @@ const struct proc_ns_operations ipcns_operations = { .put= ipcns_put, .install= ipcns_install, .inum = ipcns_inum, + .snum = ipcns_snum, }; diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c index c24f207..5473364 100644 --- a/kernel/pid_namespace.c +++ b/kernel/pid_namespace.c @@ -368,6 +368,12 @@ static unsigned int pidns_inum(void *ns) return pid_ns-proc_inum; } +static long long pidns_snum(void *ns) +{ + struct pid_namespace *pid_ns = ns; + return pid_ns-serial_num; +} + const struct proc_ns_operations pidns_operations = { .name = pid, .type = CLONE_NEWPID, @@ -375,6 +381,7 @@ const struct proc_ns_operations pidns_operations = { .put= pidns_put, .install= pidns_install, .inum = pidns_inum, + .snum = pidns_snum, }; static __init int pid_namespaces_init(void) diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 750241c..d2e9365 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -890,6 +890,12 @@ static unsigned int userns_inum(void *ns) return user_ns-proc_inum; } +static long long userns_snum(void *ns) +{ + struct user_namespace *user_ns = ns; + return user_ns-serial_num; +} + const struct proc_ns_operations userns_operations = { .name = user, .type = CLONE_NEWUSER, @@ -897,6 +903,7 @@ const struct proc_ns_operations userns_operations = { .put= userns_put, .install= userns_install, .inum = userns_inum, + .snum = userns_snum, }; static __init int user_namespaces_init(void) diff --git a/kernel/utsname.c b/kernel/utsname.c index d0cf7b5..ffeac1b 100644 --- a/kernel/utsname.c +++ b/kernel/utsname.c @@ -132,6 +132,13 @@ static unsigned int utsns_inum(void *vp) return ns-proc_inum; } +static long long utsns_snum(void *vp) +{ + struct uts_namespace *ns = vp; + + return ns-serial_num; +} + const struct proc_ns_operations utsns_operations = { .name = uts, .type = CLONE_NEWUTS, @@ -139,4 +146,5 @@ const struct proc_ns_operations utsns_operations = { .put= utsns_put, .install= utsns_install, .inum = utsns_inum, + .snum = utsns_snum, }; diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index 81e6671..dd7c085 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -671,6 +671,12 @@ static unsigned int netns_inum(void *ns) return net-proc_inum; } +static long long netns_snum(void *ns) +{ + struct net *net = ns; + return net-serial_num; +} + const struct proc_ns_operations
[PATCH V3 1/6] namespaces: assign each namespace instance a serial number
Generate and assign a serial number per namespace instance since boot. Use a serial number per namespace (unique across one boot of one kernel) instead of the inode number (which is claimed to have had the right to change reserved and is not necessarily unique if there is more than one proc fs) to uniquely identify it per kernel boot. Signed-off-by: Richard Guy Briggs r...@redhat.com --- fs/mount.h |1 + fs/namespace.c |1 + include/linux/ipc_namespace.h |1 + include/linux/nsproxy.h|8 include/linux/pid_namespace.h |1 + include/linux/user_namespace.h |1 + include/linux/utsname.h|1 + include/net/net_namespace.h|1 + init/version.c |1 + ipc/msgutil.c |1 + ipc/namespace.c|2 ++ kernel/nsproxy.c | 17 + kernel/pid.c |1 + kernel/pid_namespace.c |2 ++ kernel/user.c |1 + kernel/user_namespace.c|2 ++ kernel/utsname.c |2 ++ net/core/net_namespace.c |8 +++- 18 files changed, 51 insertions(+), 1 deletions(-) diff --git a/fs/mount.h b/fs/mount.h index b29e42f..8588fc5 100644 --- a/fs/mount.h +++ b/fs/mount.h @@ -5,6 +5,7 @@ struct mnt_namespace { atomic_tcount; unsigned intproc_inum; + long long serial_num; struct mount * root; struct list_headlist; struct user_namespace *user_ns; diff --git a/fs/namespace.c b/fs/namespace.c index 2ffc5a2..b4a31aa 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2472,6 +2472,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns) kfree(new_ns); return ERR_PTR(ret); } + new_ns-serial_num = ns_serial(); new_ns-seq = atomic64_add_return(1, mnt_ns_seq); atomic_set(new_ns-count, 1); new_ns-root = NULL; diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h index 35e7eca..8ccfb2d 100644 --- a/include/linux/ipc_namespace.h +++ b/include/linux/ipc_namespace.h @@ -69,6 +69,7 @@ struct ipc_namespace { struct user_namespace *user_ns; unsigned intproc_inum; + long long serial_num; }; extern struct ipc_namespace init_ipc_ns; diff --git a/include/linux/nsproxy.h b/include/linux/nsproxy.h index b4ec59d..8e5fe0d 100644 --- a/include/linux/nsproxy.h +++ b/include/linux/nsproxy.h @@ -66,6 +66,14 @@ static inline struct nsproxy *task_nsproxy(struct task_struct *tsk) return rcu_dereference(tsk-nsproxy); } +long long ns_serial(void); +enum { + NS_IPC_INIT_SN = 1, + NS_UTS_INIT_SN = 2, + NS_USER_INIT_SN = 3, + NS_PID_INIT_SN = 4, +}; + int copy_namespaces(unsigned long flags, struct task_struct *tsk); void exit_task_namespaces(struct task_struct *tsk); void switch_task_namespaces(struct task_struct *tsk, struct nsproxy *new); diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h index 7246ef3..4d8023e 100644 --- a/include/linux/pid_namespace.h +++ b/include/linux/pid_namespace.h @@ -43,6 +43,7 @@ struct pid_namespace { int hide_pid; int reboot; /* group exit code if this pidns was rebooted */ unsigned int proc_inum; + long long serial_num; }; extern struct pid_namespace init_pid_ns; diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h index 4836ba3..159ac26 100644 --- a/include/linux/user_namespace.h +++ b/include/linux/user_namespace.h @@ -27,6 +27,7 @@ struct user_namespace { kuid_t owner; kgid_t group; unsigned intproc_inum; + long long serial_num; /* Register of per-UID persistent keyrings for this namespace */ #ifdef CONFIG_PERSISTENT_KEYRINGS diff --git a/include/linux/utsname.h b/include/linux/utsname.h index 239e277..8490197 100644 --- a/include/linux/utsname.h +++ b/include/linux/utsname.h @@ -24,6 +24,7 @@ struct uts_namespace { struct new_utsname name; struct user_namespace *user_ns; unsigned int proc_inum; + long long serial_num; }; extern struct uts_namespace init_uts_ns; diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index 991dcd9..42d38f9 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -59,6 +59,7 @@ struct net { struct user_namespace *user_ns; /* Owning user namespace */ unsigned intproc_inum; + long long serial_num; struct proc_dir_entry *proc_net; struct proc_dir_entry *proc_net_stat; diff --git a/init/version.c b/init/version.c index 1a4718e..cfdcb85 100644 --- a/init/version.c +++ b/init/version.c @@ -36,6 +36,7 @@ struct uts_namespace init_uts_ns = {
[PATCH V3 0/6] namespaces: log namespaces per task
The purpose is to track namespaces in use by logged processes from the perspective of init_*_ns. 1/6 defines a function to generate them and assigns them. Use a serial number per namespace (unique across one boot of one kernel) instead of the inode number (which is claimed to have had the right to change reserved and is not necessarily unique if there is more than one proc fs). It could be argued that the inode numbers have now become a defacto interface and can't change now, but I'm proposing this approach to see if this helps address some of the objections to the earlier patchset. 2/6 adds access functions to get to the serial numbers in a similar way to inode access for namespace proc operations. 3/6 implements, as suggested by Serge Hallyn, making these serial numbers available in /proc/self/ns/{ipc,mnt,net,pid,user,uts}_snum. I chose snum instead of seq for consistency with inum and there are a number of other uses of seq in the namespace code. 4/6 exposes proc's ns entries structure which lists a number of useful operations per namespace type for other subsystems to use. 5/6 provides an example of usage for audit_log_task_info() which is used by syscall audits, among others. audit_log_task() and audit_common_recv_message() would be other potential use cases. Proposed output format: This differs slightly from Aristeu's patch because of the label conflict with pid= due to including it in existing records rather than it being a seperate record. The serial numbers are printed in hex. type=SYSCALL msg=audit(1399651071.433:72): arch=c03e syscall=272 success=yes exit=0 a0=4000 a1= a2=0 a3=22 items=0 ppid=1 pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(t-daemon) exe=/usr/lib/systemd/systemd netns=97 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5 subj=system_u:system_r:init_t:s0 key=(null) 6/6 tracks the creation and deletion of of namespaces, listing the type of namespace instance, related namespace id if there is one and the newly minted serial number. Proposed output format: type=NS_INIT msg=audit(1400217435.706:94): pid=524 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2 old_snum=0 snum=a1 res=1 type=NS_DEL msg=audit(1400217435.730:95): pid=524 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2 snum=a1 res=1 v2 - v3: Use atomic64_t in ns_serial to simplify it. Avoid funciton duplication in proc, keying on dentry. Squash down audit patch to avoid rcu sleep issues. Add tracking for creation and deletion of namespace instances. v1 - v2: Avoid rollover by switching from an int to a long long. Change rollover behaviour from simply avoiding zero to raising a BUG. Expose serial numbers in /proc/pid/ns/*_snum. Expose ns_entries and use it in audit. Notes: There has been some progress made for audit in net namespaces and pid namespaces since this previous thread. net namespaces are now served as peers by one auditd in the init_net namespace with processes in a non-init_net namespace being able to write records if they are in the init_user_ns and have CAP_AUDIT_WRITE. Processes in a non-init_pid_ns can now similarly write records. As for CAP_AUDIT_READ, I just posted a patchset to check capabilities of userspace processes that try to join netlink broadcast groups. This set does not try to solve the non-init namespace audit messages and auditd problem yet. That will come later, likely with additional auditd instances running in another namespace with a limited ability to influence the master auditd. I echo Eric B's idea that messages destined for different namespaces would have to be tailored for that namespace with references that make sense (such as the right pid number reported to that pid namespace, and not leaking info about parents or peers). Bugs: Patch 6/6 has a timing bug such that mnt and net namespace initial namespaces never get logged, I suspect because they are initialized before the audit subsystem. I've tried moving audit from __initcall to subsys_initcall, but that doesn't help. Questions: Is there a way to link serial numbers of namespaces involved in migration of a container to another kernel? It sounds like what is needed is a part of a mangement application that is able to pull the audit rcords from constituent hosts to build an audit trail of a container. What additional events should list this information? Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL (and proposed CAP_AUDIT_READ) in init_user_ns can get to this information in the init namespace at the moment from audit. *However*, the addition of the proc/pid/ns/*_snum does make it available to other processes now. Richard Guy Briggs (6): namespaces: assign each namespace instance a serial number namespaces: expose namespace instance
Re: [PATCH V3 0/6] namespaces: log namespaces per task
On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote: The purpose is to track namespaces in use by logged processes from the perspective of init_*_ns. 1/6 defines a function to generate them and assigns them. Use a serial number per namespace (unique across one boot of one kernel) instead of the inode number (which is claimed to have had the right to change reserved and is not necessarily unique if there is more than one proc fs). It could be argued that the inode numbers have now become a defacto interface and can't change now, but I'm proposing this approach to see if this helps address some of the objections to the earlier patchset. 2/6 adds access functions to get to the serial numbers in a similar way to inode access for namespace proc operations. 3/6 implements, as suggested by Serge Hallyn, making these serial numbers available in /proc/self/ns/{ipc,mnt,net,pid,user,uts}_snum. I chose snum instead of seq for consistency with inum and there are a number of other uses of seq in the namespace code. 4/6 exposes proc's ns entries structure which lists a number of useful operations per namespace type for other subsystems to use. 5/6 provides an example of usage for audit_log_task_info() which is used by syscall audits, among others. audit_log_task() and audit_common_recv_message() would be other potential use cases. Proposed output format: This differs slightly from Aristeu's patch because of the label conflict with pid= due to including it in existing records rather than it being a seperate record. The serial numbers are printed in hex. type=SYSCALL msg=audit(1399651071.433:72): arch=c03e syscall=272 success=yes exit=0 a0=4000 a1= a2=0 a3=22 items=0 ppid=1 pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(t-daemon) exe=/usr/lib/systemd/systemd netns=97 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5 subj=system_u:system_r:init_t:s0 key=(null) I'm undecided if I'd rather see this as a separate NS_INFO record type. It would mean we could filter them out of the logs... Do we print out lots of pidns=0 for tasks not in a newly created NS? Do we want to? 6/6 tracks the creation and deletion of of namespaces, listing the type of namespace instance, related namespace id if there is one and the newly minted serial number. Proposed output format: type=NS_INIT msg=audit(1400217435.706:94): pid=524 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2 old_snum=0 snum=a1 res=1 I'd love to be able to grep for netns=20 and find both the NS_INIT and the SYSCALL/NS_INFO records, instead of having them named different things. So basically I think you want to translate the type= into a string for the old_X= and X=... -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 0/6] namespaces: log namespaces per task
On 14/05/20, Eric Paris wrote: On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote: The purpose is to track namespaces in use by logged processes from the perspective of init_*_ns. 1/6 defines a function to generate them and assigns them. Use a serial number per namespace (unique across one boot of one kernel) instead of the inode number (which is claimed to have had the right to change reserved and is not necessarily unique if there is more than one proc fs). It could be argued that the inode numbers have now become a defacto interface and can't change now, but I'm proposing this approach to see if this helps address some of the objections to the earlier patchset. 2/6 adds access functions to get to the serial numbers in a similar way to inode access for namespace proc operations. 3/6 implements, as suggested by Serge Hallyn, making these serial numbers available in /proc/self/ns/{ipc,mnt,net,pid,user,uts}_snum. I chose snum instead of seq for consistency with inum and there are a number of other uses of seq in the namespace code. 4/6 exposes proc's ns entries structure which lists a number of useful operations per namespace type for other subsystems to use. 5/6 provides an example of usage for audit_log_task_info() which is used by syscall audits, among others. audit_log_task() and audit_common_recv_message() would be other potential use cases. Proposed output format: This differs slightly from Aristeu's patch because of the label conflict with pid= due to including it in existing records rather than it being a seperate record. The serial numbers are printed in hex. type=SYSCALL msg=audit(1399651071.433:72): arch=c03e syscall=272 success=yes exit=0 a0=4000 a1= a2=0 a3=22 items=0 ppid=1 pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(t-daemon) exe=/usr/lib/systemd/systemd netns=97 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5 subj=system_u:system_r:init_t:s0 key=(null) I'm undecided if I'd rather see this as a separate NS_INFO record type. It would mean we could filter them out of the logs... I don't have a strong opinion either way. Steve G.'s opinion would be helpful here. Do we print out lots of pidns=0 for tasks not in a newly created NS? Do we want to? There is no pidns=0, but I understand your point. This would come back to Steve G.'s point about disappearing fields, and the value of having it as a seperate record that could be filtered. 6/6 tracks the creation and deletion of of namespaces, listing the type of namespace instance, related namespace id if there is one and the newly minted serial number. Proposed output format: type=NS_INIT msg=audit(1400217435.706:94): pid=524 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2 old_snum=0 snum=a1 res=1 I'd love to be able to grep for netns=20 and find both the NS_INIT and the SYSCALL/NS_INFO records, instead of having them named different things. So basically I think you want to translate the type= into a string for the old_X= and X=... That actually makes a bit more sense, and we could do away with the type= field since the Xns= fields are self-describing. Any hints on the timing issues mentioned in one of the notes? I'm missing initial mntns and netns messages. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
auditd 2.0.5 and 2.2 log format changes
Hello, I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. Is there any other log format changes between two versions? PS: I execute /sbin/ausearch -i -if /var/log/audit/audit.log command before to start log processing. Thanks in advance. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
On Tue, 20 May 2014 18:18:14 +0300 Ismail Yenigul ismailyeni...@gmail.com wrote: I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. This is not related to auditd. This is a change in the kernel. Auditd just distributes events to disk and other applications. Is there any other log format changes between two versions? There are likely differences in the kernels (and possibly user space apps). I have no idea what they are. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
Thanks for prompt reply. The kernel versions are very close. Redhat: 2.6.32-431.11.2.el6.x86_64 Suse: 2.6.37.1-1.2-desktop Is there any change in audit.rules format? Have a nice days. 2014-05-20 18:31 GMT+03:00 Steve Grubb sgr...@redhat.com: On Tue, 20 May 2014 18:18:14 +0300 Ismail Yenigul ismailyeni...@gmail.com wrote: I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. This is not related to auditd. This is a change in the kernel. Auditd just distributes events to disk and other applications. Is there any other log format changes between two versions? There are likely differences in the kernels (and possibly user space apps). I have no idea what they are. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
On Tue, 2014-05-20 at 18:35 +0300, Ismail Yenigul wrote: Thanks for prompt reply. The kernel versions are very close. Not really. RHEL kernels are vastly different than the old 2.6.32 kernel. In this case, the RHEL kernel gives some very very new information which didn't exist back in 2.6.37. Aka the 2.6.32 rhel kernel is 'newer' than the 2.6.37 suse kernel. Does that make sense? Redhat: 2.6.32-431.11.2.el6.x86_64 Suse: 2.6.37.1-1.2-desktop I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. This is a new key=value pair which tells your something about this particular name record. Imagine you called rename() and placed on file on top of another existing file. In old kernels you'd end up with about 4 different audit names. Old parent dir, new parent dir, old file moving, new file being unlink() because of the rename() on top of it. This field is supposed to help you figure out which of these audit names goes with which part of the syscall. Make sense? -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
Thank you for valuable details. We will see what will happen in the field By the way, do you have a plan to use Solaris bsm style output. All info stored in a single line in bsm output. This is more human friendly output.. But redhat auditd create multi lines and every syscall has different number of lines with different number of fields in every line. Thanks 20 May 2014 20:02 tarihinde Eric Paris epa...@redhat.com yazdı: On Tue, 2014-05-20 at 18:35 +0300, Ismail Yenigul wrote: Thanks for prompt reply. The kernel versions are very close. Not really. RHEL kernels are vastly different than the old 2.6.32 kernel. In this case, the RHEL kernel gives some very very new information which didn't exist back in 2.6.37. Aka the 2.6.32 rhel kernel is 'newer' than the 2.6.37 suse kernel. Does that make sense? Redhat: 2.6.32-431.11.2.el6.x86_64 Suse: 2.6.37.1-1.2-desktop I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. This is a new key=value pair which tells your something about this particular name record. Imagine you called rename() and placed on file on top of another existing file. In old kernels you'd end up with about 4 different audit names. Old parent dir, new parent dir, old file moving, new file being unlink() because of the rename() on top of it. This field is supposed to help you figure out which of these audit names goes with which part of the syscall. Make sense? -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
On Tue, 20 May 2014 21:23:59 +0300 Ismail Yenigul ismailyeni...@gmail.com wrote: By the way, do you have a plan to use Solaris bsm style output. All info stored in a single line in bsm output. The simple answer, no. The deisgn of the linux audit system is different than the Solaris audit system. The multiple lines comes from different parts of the kernel contributing what it knows about the syscall once its been determined to be an event of interest. This is more human friendly output. There are some plans to make the out easier to understand. Its just that there are other problems that need fixing before work can start on that. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit