[PATCH V3 3/6] namespaces: expose ns instance serial numbers in proc
Expose the namespace instace serial numbers in the proc filesystem at
/proc/pid/ns/ns_snum. The link text gives the serial number in hex.
snum was chosen instead of seq for consistency with inum and there are a
number of other uses of seq in the namespace code.
Suggested-by: Serge E. Hallyn se...@hallyn.com
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/proc/namespaces.c | 33 +
1 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
index 9ae46b8..57fce90 100644
--- a/fs/proc/namespaces.c
+++ b/fs/proc/namespaces.c
@@ -47,12 +47,15 @@ static char *ns_dname(struct dentry *dentry, char *buffer,
int buflen)
struct inode *inode = dentry-d_inode;
const struct proc_ns_operations *ns_ops = PROC_I(inode)-ns.ns_ops;
- return dynamic_dname(dentry, buffer, buflen, %s:[%lu],
- ns_ops-name, inode-i_ino);
+ if (strstr(dentry-d_iname, _snum))
+ return dynamic_dname(dentry, buffer, buflen, %s_snum:[%llx],
+ ns_ops-name, ns_ops-snum(PROC_I(inode)-ns.ns));
+ else
+ return dynamic_dname(dentry, buffer, buflen, %s:[%lu],
+ ns_ops-name, inode-i_ino);
}
-const struct dentry_operations ns_dentry_operations =
-{
+const struct dentry_operations ns_dentry_operations = {
.d_delete = always_delete_dentry,
.d_dname= ns_dname,
};
@@ -160,7 +163,10 @@ static int proc_ns_readlink(struct dentry *dentry, char
__user *buffer, int bufl
if (!ns)
goto out_put_task;
- snprintf(name, sizeof(name), %s:[%u], ns_ops-name, ns_ops-inum(ns));
+ if (strstr(dentry-d_iname, _snum))
+ snprintf(name, sizeof(name), %s_snum:[%llx], ns_ops-name,
ns_ops-snum(ns));
+ else
+ snprintf(name, sizeof(name), %s:[%u], ns_ops-name,
ns_ops-inum(ns));
len = strlen(name);
if (len buflen)
@@ -216,16 +222,23 @@ static int proc_ns_dir_readdir(struct file *file, struct
dir_context *ctx)
if (!dir_emit_dots(file, ctx))
goto out;
- if (ctx-pos = 2 + ARRAY_SIZE(ns_entries))
+ if (ctx-pos = 2 + 2 * ARRAY_SIZE(ns_entries))
goto out;
entry = ns_entries + (ctx-pos - 2);
last = ns_entries[ARRAY_SIZE(ns_entries) - 1];
while (entry = last) {
const struct proc_ns_operations *ops = *entry;
+ char name[50];
+
if (!proc_fill_cache(file, ctx, ops-name, strlen(ops-name),
proc_ns_instantiate, task, ops))
break;
ctx-pos++;
+ snprintf(name, sizeof(name), %s_snum, ops-name);
+ if (!proc_fill_cache(file, ctx, name, strlen(name),
+proc_ns_instantiate, task, ops))
+ break;
+ ctx-pos++;
entry++;
}
out:
@@ -253,9 +266,13 @@ static struct dentry *proc_ns_dir_lookup(struct inode *dir,
last = ns_entries[ARRAY_SIZE(ns_entries)];
for (entry = ns_entries; entry last; entry++) {
- if (strlen((*entry)-name) != len)
+ char name[50];
+
+ snprintf(name, sizeof(name), %s_snum, (*entry)-name);
+ if (strlen((*entry)-name) != len strlen(name) != len)
continue;
- if (!memcmp(dentry-d_name.name, (*entry)-name, len))
+ if (!memcmp(dentry-d_name.name, (*entry)-name, len)
+ || !memcmp(dentry-d_name.name, name, len))
break;
}
if (entry == last)
--
1.7.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH V3 6/6] audit: log creation and deletion of namespace instances
Log the creation and deletion of namespace instances in all 6 types of
namespaces.
Two new audit message types have been introduced:
AUDIT_NS_INIT 1329
AUDIT_NS_DEL1330
The output format should look roughly:
type=NS_INIT msg=audit(1400217435.706:94): pid=524 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2 old_snum=0 snum=a
res=1
type=NS_DEL msg=audit(1400217435.730:95): pid=524 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2 snum=a res=1
If non-zero, old_snum lists the namespace from which it was cloned.
The types are CLONE_NEW* listed in include/uapi/linux/sched.h.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/namespace.c |4
include/linux/audit.h |8
include/uapi/linux/audit.h |2 ++
ipc/namespace.c| 10 ++
kernel/audit.c | 32
kernel/pid_namespace.c | 10 ++
kernel/user_namespace.c|9 +
kernel/utsname.c | 10 ++
net/core/net_namespace.c |5 +
9 files changed, 90 insertions(+), 0 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 74348c4..f33efb3 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -24,6 +24,7 @@
#include linux/proc_ns.h
#include linux/magic.h
#include linux/bootmem.h
+#include linux/audit.h
#include pnode.h
#include internal.h
@@ -2445,6 +2446,7 @@ dput_out:
static void free_mnt_ns(struct mnt_namespace *ns)
{
+ audit_log_ns_del(CLONE_NEWNS, ns-serial_num);
proc_free_inum(ns-proc_inum);
put_user_ns(ns-user_ns);
kfree(ns);
@@ -2505,6 +2507,7 @@ struct mnt_namespace *copy_mnt_ns(unsigned long flags,
struct mnt_namespace *ns,
new_ns = alloc_mnt_ns(user_ns);
if (IS_ERR(new_ns))
return new_ns;
+ audit_log_ns_init(CLONE_NEWNS, ns-serial_num, new_ns-serial_num);
namespace_lock();
/* First pass: copy the tree topology */
@@ -2568,6 +2571,7 @@ static struct mnt_namespace *create_mnt_ns(struct
vfsmount *m)
mnt-mnt_ns = new_ns;
new_ns-root = mnt;
list_add(mnt-mnt_list, new_ns-list);
+ audit_log_ns_init(CLONE_NEWNS, 0, new_ns-serial_num);
} else {
mntput(m);
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 0ef404a..3ba8216 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -466,6 +466,9 @@ extern void audit_log_key(struct audit_buffer
*ab,
char *key);
extern voidaudit_log_link_denied(const char *operation,
struct path *link);
+extern int audit_log_ns_init(int type, long long old_snum,
+ long long snum);
+extern int audit_log_ns_del(int type, long long snum);
extern voidaudit_log_lost(const char *message);
#ifdef CONFIG_SECURITY
extern voidaudit_log_secctx(struct audit_buffer *ab, u32
secid);
@@ -524,6 +527,11 @@ static inline void audit_log_key(struct audit_buffer *ab,
char *key)
static inline void audit_log_link_denied(const char *string,
const struct path *link)
{ }
+static inline int audit_log_ns_init(int type, long long old_snum,
+ long long snum)
+{ }
+static inline int audit_log_ns_del(int type, long long snum)
+{ }
static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
{ }
static inline int audit_log_task_context(struct audit_buffer *ab)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 573dc36..ac177fd 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -110,6 +110,8 @@
#define AUDIT_SECCOMP 1326/* Secure Computing event */
#define AUDIT_PROCTITLE1327/* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328/* audit log listing feature changes */
+#define AUDIT_NS_INIT 1329/* Record namespace instance creation */
+#define AUDIT_NS_DEL 1330/* Record namespace instance deletion */
#define AUDIT_AVC 1400/* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401/* Internal SE Linux Errors */
diff --git a/ipc/namespace.c b/ipc/namespace.c
index 36ce7ff..5b2b897 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -13,6 +13,7 @@
#include linux/mount.h
#include linux/user_namespace.h
#include linux/proc_ns.h
+#include linux/audit.h
#include util.h
@@ -42,6 +43,7 @@ static struct ipc_namespace *create_ipc_ns(struct
user_namespace *user_ns,
atomic_inc(nr_ipc_ns);
ns-serial_num = ns_serial();
+ audit_log_ns_init(CLONE_NEWIPC, old_ns-serial_num, ns-serial_num);
[PATCH V3 2/6] namespaces: expose namespace instance serial number in proc_ns_operations
Expose the namespace instance serial number for each namespace type in the proc
namespace operations structure to make it available for the proc filesystem.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/namespace.c |7 +++
include/linux/proc_ns.h |1 +
ipc/namespace.c |8
kernel/pid_namespace.c |7 +++
kernel/user_namespace.c |7 +++
kernel/utsname.c |8
net/core/net_namespace.c |7 +++
7 files changed, 45 insertions(+), 0 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index b4a31aa..74348c4 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3014,6 +3014,12 @@ static unsigned int mntns_inum(void *ns)
return mnt_ns-proc_inum;
}
+static long long mntns_snum(void *ns)
+{
+ struct mnt_namespace *mnt_ns = ns;
+ return mnt_ns-serial_num;
+}
+
const struct proc_ns_operations mntns_operations = {
.name = mnt,
.type = CLONE_NEWNS,
@@ -3021,4 +3027,5 @@ const struct proc_ns_operations mntns_operations = {
.put= mntns_put,
.install= mntns_install,
.inum = mntns_inum,
+ .snum = mntns_snum,
};
diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h
index 34a1e10..aaafe3e 100644
--- a/include/linux/proc_ns.h
+++ b/include/linux/proc_ns.h
@@ -14,6 +14,7 @@ struct proc_ns_operations {
void (*put)(void *ns);
int (*install)(struct nsproxy *nsproxy, void *ns);
unsigned int (*inum)(void *ns);
+ long long (*snum)(void *ns);
};
struct proc_ns {
diff --git a/ipc/namespace.c b/ipc/namespace.c
index 76dac5c..36ce7ff 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -191,6 +191,13 @@ static unsigned int ipcns_inum(void *vp)
return ns-proc_inum;
}
+static long long ipcns_snum(void *vp)
+{
+ struct ipc_namespace *ns = vp;
+
+ return ns-serial_num;
+}
+
const struct proc_ns_operations ipcns_operations = {
.name = ipc,
.type = CLONE_NEWIPC,
@@ -198,4 +205,5 @@ const struct proc_ns_operations ipcns_operations = {
.put= ipcns_put,
.install= ipcns_install,
.inum = ipcns_inum,
+ .snum = ipcns_snum,
};
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index c24f207..5473364 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -368,6 +368,12 @@ static unsigned int pidns_inum(void *ns)
return pid_ns-proc_inum;
}
+static long long pidns_snum(void *ns)
+{
+ struct pid_namespace *pid_ns = ns;
+ return pid_ns-serial_num;
+}
+
const struct proc_ns_operations pidns_operations = {
.name = pid,
.type = CLONE_NEWPID,
@@ -375,6 +381,7 @@ const struct proc_ns_operations pidns_operations = {
.put= pidns_put,
.install= pidns_install,
.inum = pidns_inum,
+ .snum = pidns_snum,
};
static __init int pid_namespaces_init(void)
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 750241c..d2e9365 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -890,6 +890,12 @@ static unsigned int userns_inum(void *ns)
return user_ns-proc_inum;
}
+static long long userns_snum(void *ns)
+{
+ struct user_namespace *user_ns = ns;
+ return user_ns-serial_num;
+}
+
const struct proc_ns_operations userns_operations = {
.name = user,
.type = CLONE_NEWUSER,
@@ -897,6 +903,7 @@ const struct proc_ns_operations userns_operations = {
.put= userns_put,
.install= userns_install,
.inum = userns_inum,
+ .snum = userns_snum,
};
static __init int user_namespaces_init(void)
diff --git a/kernel/utsname.c b/kernel/utsname.c
index d0cf7b5..ffeac1b 100644
--- a/kernel/utsname.c
+++ b/kernel/utsname.c
@@ -132,6 +132,13 @@ static unsigned int utsns_inum(void *vp)
return ns-proc_inum;
}
+static long long utsns_snum(void *vp)
+{
+ struct uts_namespace *ns = vp;
+
+ return ns-serial_num;
+}
+
const struct proc_ns_operations utsns_operations = {
.name = uts,
.type = CLONE_NEWUTS,
@@ -139,4 +146,5 @@ const struct proc_ns_operations utsns_operations = {
.put= utsns_put,
.install= utsns_install,
.inum = utsns_inum,
+ .snum = utsns_snum,
};
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 81e6671..dd7c085 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -671,6 +671,12 @@ static unsigned int netns_inum(void *ns)
return net-proc_inum;
}
+static long long netns_snum(void *ns)
+{
+ struct net *net = ns;
+ return net-serial_num;
+}
+
const struct proc_ns_operations
[PATCH V3 1/6] namespaces: assign each namespace instance a serial number
Generate and assign a serial number per namespace instance since boot.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had the right to change
reserved and is not necessarily unique if there is more than one proc fs) to
uniquely identify it per kernel boot.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
fs/mount.h |1 +
fs/namespace.c |1 +
include/linux/ipc_namespace.h |1 +
include/linux/nsproxy.h|8
include/linux/pid_namespace.h |1 +
include/linux/user_namespace.h |1 +
include/linux/utsname.h|1 +
include/net/net_namespace.h|1 +
init/version.c |1 +
ipc/msgutil.c |1 +
ipc/namespace.c|2 ++
kernel/nsproxy.c | 17 +
kernel/pid.c |1 +
kernel/pid_namespace.c |2 ++
kernel/user.c |1 +
kernel/user_namespace.c|2 ++
kernel/utsname.c |2 ++
net/core/net_namespace.c |8 +++-
18 files changed, 51 insertions(+), 1 deletions(-)
diff --git a/fs/mount.h b/fs/mount.h
index b29e42f..8588fc5 100644
--- a/fs/mount.h
+++ b/fs/mount.h
@@ -5,6 +5,7 @@
struct mnt_namespace {
atomic_tcount;
unsigned intproc_inum;
+ long long serial_num;
struct mount * root;
struct list_headlist;
struct user_namespace *user_ns;
diff --git a/fs/namespace.c b/fs/namespace.c
index 2ffc5a2..b4a31aa 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2472,6 +2472,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct
user_namespace *user_ns)
kfree(new_ns);
return ERR_PTR(ret);
}
+ new_ns-serial_num = ns_serial();
new_ns-seq = atomic64_add_return(1, mnt_ns_seq);
atomic_set(new_ns-count, 1);
new_ns-root = NULL;
diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
index 35e7eca..8ccfb2d 100644
--- a/include/linux/ipc_namespace.h
+++ b/include/linux/ipc_namespace.h
@@ -69,6 +69,7 @@ struct ipc_namespace {
struct user_namespace *user_ns;
unsigned intproc_inum;
+ long long serial_num;
};
extern struct ipc_namespace init_ipc_ns;
diff --git a/include/linux/nsproxy.h b/include/linux/nsproxy.h
index b4ec59d..8e5fe0d 100644
--- a/include/linux/nsproxy.h
+++ b/include/linux/nsproxy.h
@@ -66,6 +66,14 @@ static inline struct nsproxy *task_nsproxy(struct
task_struct *tsk)
return rcu_dereference(tsk-nsproxy);
}
+long long ns_serial(void);
+enum {
+ NS_IPC_INIT_SN = 1,
+ NS_UTS_INIT_SN = 2,
+ NS_USER_INIT_SN = 3,
+ NS_PID_INIT_SN = 4,
+};
+
int copy_namespaces(unsigned long flags, struct task_struct *tsk);
void exit_task_namespaces(struct task_struct *tsk);
void switch_task_namespaces(struct task_struct *tsk, struct nsproxy *new);
diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h
index 7246ef3..4d8023e 100644
--- a/include/linux/pid_namespace.h
+++ b/include/linux/pid_namespace.h
@@ -43,6 +43,7 @@ struct pid_namespace {
int hide_pid;
int reboot; /* group exit code if this pidns was rebooted */
unsigned int proc_inum;
+ long long serial_num;
};
extern struct pid_namespace init_pid_ns;
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 4836ba3..159ac26 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -27,6 +27,7 @@ struct user_namespace {
kuid_t owner;
kgid_t group;
unsigned intproc_inum;
+ long long serial_num;
/* Register of per-UID persistent keyrings for this namespace */
#ifdef CONFIG_PERSISTENT_KEYRINGS
diff --git a/include/linux/utsname.h b/include/linux/utsname.h
index 239e277..8490197 100644
--- a/include/linux/utsname.h
+++ b/include/linux/utsname.h
@@ -24,6 +24,7 @@ struct uts_namespace {
struct new_utsname name;
struct user_namespace *user_ns;
unsigned int proc_inum;
+ long long serial_num;
};
extern struct uts_namespace init_uts_ns;
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 991dcd9..42d38f9 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -59,6 +59,7 @@ struct net {
struct user_namespace *user_ns; /* Owning user namespace */
unsigned intproc_inum;
+ long long serial_num;
struct proc_dir_entry *proc_net;
struct proc_dir_entry *proc_net_stat;
diff --git a/init/version.c b/init/version.c
index 1a4718e..cfdcb85 100644
--- a/init/version.c
+++ b/init/version.c
@@ -36,6 +36,7 @@ struct uts_namespace init_uts_ns = {
[PATCH V3 0/6] namespaces: log namespaces per task
The purpose is to track namespaces in use by logged processes from the
perspective of init_*_ns.
1/6 defines a function to generate them and assigns them.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had the right to change
reserved and is not necessarily unique if there is more than one proc fs). It
could be argued that the inode numbers have now become a defacto interface and
can't change now, but I'm proposing this approach to see if this helps address
some of the objections to the earlier patchset.
2/6 adds access functions to get to the serial numbers in a similar way to
inode access for namespace proc operations.
3/6 implements, as suggested by Serge Hallyn, making these serial numbers
available in /proc/self/ns/{ipc,mnt,net,pid,user,uts}_snum. I chose snum
instead of seq for consistency with inum and there are a number of other uses
of seq in the namespace code.
4/6 exposes proc's ns entries structure which lists a number of useful
operations per namespace type for other subsystems to use.
5/6 provides an example of usage for audit_log_task_info() which is used by
syscall audits, among others. audit_log_task() and audit_common_recv_message()
would be other potential use cases.
Proposed output format:
This differs slightly from Aristeu's patch because of the label conflict with
pid= due to including it in existing records rather than it being a seperate
record. The serial numbers are printed in hex.
type=SYSCALL msg=audit(1399651071.433:72): arch=c03e syscall=272
success=yes exit=0 a0=4000 a1= a2=0 a3=22 items=0 ppid=1
pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm=(t-daemon) exe=/usr/lib/systemd/systemd
netns=97 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5
subj=system_u:system_r:init_t:s0 key=(null)
6/6 tracks the creation and deletion of of namespaces, listing the type of
namespace instance, related namespace id if there is one and the newly minted
serial number.
Proposed output format:
type=NS_INIT msg=audit(1400217435.706:94): pid=524 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2
old_snum=0 snum=a1 res=1
type=NS_DEL msg=audit(1400217435.730:95): pid=524 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2 snum=a1 res=1
v2 - v3:
Use atomic64_t in ns_serial to simplify it.
Avoid funciton duplication in proc, keying on dentry.
Squash down audit patch to avoid rcu sleep issues.
Add tracking for creation and deletion of namespace instances.
v1 - v2:
Avoid rollover by switching from an int to a long long.
Change rollover behaviour from simply avoiding zero to raising a BUG.
Expose serial numbers in /proc/pid/ns/*_snum.
Expose ns_entries and use it in audit.
Notes:
There has been some progress made for audit in net namespaces and pid
namespaces since this previous thread. net namespaces are now served as peers
by one auditd in the init_net namespace with processes in a non-init_net
namespace being able to write records if they are in the init_user_ns and have
CAP_AUDIT_WRITE. Processes in a non-init_pid_ns can now similarly write
records. As for CAP_AUDIT_READ, I just posted a patchset to check capabilities
of userspace processes that try to join netlink broadcast groups.
This set does not try to solve the non-init namespace audit messages and
auditd problem yet. That will come later, likely with additional auditd
instances running in another namespace with a limited ability to influence the
master auditd. I echo Eric B's idea that messages destined for different
namespaces would have to be tailored for that namespace with references that
make sense (such as the right pid number reported to that pid namespace, and
not leaking info about parents or peers).
Bugs:
Patch 6/6 has a timing bug such that mnt and net namespace initial namespaces
never get logged, I suspect because they are initialized before the audit
subsystem. I've tried moving audit from __initcall to subsys_initcall, but
that doesn't help.
Questions:
Is there a way to link serial numbers of namespaces involved in migration of a
container to another kernel? It sounds like what is needed is a part of a
mangement application that is able to pull the audit rcords from constituent
hosts to build an audit trail of a container.
What additional events should list this information?
Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL
(and proposed CAP_AUDIT_READ) in init_user_ns can get to this information in
the init namespace at the moment from audit. *However*, the addition of the
proc/pid/ns/*_snum does make it available to other processes now.
Richard Guy Briggs (6):
namespaces: assign each namespace instance a serial number
namespaces: expose namespace instance
Re: [PATCH V3 0/6] namespaces: log namespaces per task
On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
The purpose is to track namespaces in use by logged processes from the
perspective of init_*_ns.
1/6 defines a function to generate them and assigns them.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had the right to change
reserved and is not necessarily unique if there is more than one proc fs). It
could be argued that the inode numbers have now become a defacto interface and
can't change now, but I'm proposing this approach to see if this helps address
some of the objections to the earlier patchset.
2/6 adds access functions to get to the serial numbers in a similar way to
inode access for namespace proc operations.
3/6 implements, as suggested by Serge Hallyn, making these serial numbers
available in /proc/self/ns/{ipc,mnt,net,pid,user,uts}_snum. I chose snum
instead of seq for consistency with inum and there are a number of other
uses
of seq in the namespace code.
4/6 exposes proc's ns entries structure which lists a number of useful
operations per namespace type for other subsystems to use.
5/6 provides an example of usage for audit_log_task_info() which is used by
syscall audits, among others. audit_log_task() and
audit_common_recv_message()
would be other potential use cases.
Proposed output format:
This differs slightly from Aristeu's patch because of the label conflict with
pid= due to including it in existing records rather than it being a seperate
record. The serial numbers are printed in hex.
type=SYSCALL msg=audit(1399651071.433:72): arch=c03e syscall=272
success=yes exit=0 a0=4000 a1= a2=0 a3=22 items=0 ppid=1
pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm=(t-daemon)
exe=/usr/lib/systemd/systemd netns=97 utsns=2 ipcns=1 pidns=4 userns=3
mntns=5 subj=system_u:system_r:init_t:s0 key=(null)
I'm undecided if I'd rather see this as a separate NS_INFO record type.
It would mean we could filter them out of the logs...
Do we print out lots of pidns=0 for tasks not in a newly created NS? Do
we want to?
6/6 tracks the creation and deletion of of namespaces, listing the type of
namespace instance, related namespace id if there is one and the newly minted
serial number.
Proposed output format:
type=NS_INIT msg=audit(1400217435.706:94): pid=524 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2
old_snum=0 snum=a1 res=1
I'd love to be able to grep for netns=20 and find both the NS_INIT and
the SYSCALL/NS_INFO records, instead of having them named different
things. So basically I think you want to translate the type= into a
string for the old_X= and X=...
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 0/6] namespaces: log namespaces per task
On 14/05/20, Eric Paris wrote:
On Tue, 2014-05-20 at 09:12 -0400, Richard Guy Briggs wrote:
The purpose is to track namespaces in use by logged processes from the
perspective of init_*_ns.
1/6 defines a function to generate them and assigns them.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had the right to
change
reserved and is not necessarily unique if there is more than one proc fs).
It
could be argued that the inode numbers have now become a defacto interface
and
can't change now, but I'm proposing this approach to see if this helps
address
some of the objections to the earlier patchset.
2/6 adds access functions to get to the serial numbers in a similar way to
inode access for namespace proc operations.
3/6 implements, as suggested by Serge Hallyn, making these serial numbers
available in /proc/self/ns/{ipc,mnt,net,pid,user,uts}_snum. I chose snum
instead of seq for consistency with inum and there are a number of other
uses
of seq in the namespace code.
4/6 exposes proc's ns entries structure which lists a number of useful
operations per namespace type for other subsystems to use.
5/6 provides an example of usage for audit_log_task_info() which is used by
syscall audits, among others. audit_log_task() and
audit_common_recv_message()
would be other potential use cases.
Proposed output format:
This differs slightly from Aristeu's patch because of the label conflict
with
pid= due to including it in existing records rather than it being a
seperate
record. The serial numbers are printed in hex.
type=SYSCALL msg=audit(1399651071.433:72): arch=c03e syscall=272
success=yes exit=0 a0=4000 a1= a2=0 a3=22 items=0
ppid=1 pid=483 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(t-daemon)
exe=/usr/lib/systemd/systemd netns=97 utsns=2 ipcns=1 pidns=4 userns=3
mntns=5 subj=system_u:system_r:init_t:s0 key=(null)
I'm undecided if I'd rather see this as a separate NS_INFO record type.
It would mean we could filter them out of the logs...
I don't have a strong opinion either way. Steve G.'s opinion would be
helpful here.
Do we print out lots of pidns=0 for tasks not in a newly created NS? Do
we want to?
There is no pidns=0, but I understand your point. This would come
back to Steve G.'s point about disappearing fields, and the value of
having it as a seperate record that could be filtered.
6/6 tracks the creation and deletion of of namespaces, listing the type of
namespace instance, related namespace id if there is one and the newly
minted
serial number.
Proposed output format:
type=NS_INIT msg=audit(1400217435.706:94): pid=524 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:mount_t:s0 type=2
old_snum=0 snum=a1 res=1
I'd love to be able to grep for netns=20 and find both the NS_INIT and
the SYSCALL/NS_INFO records, instead of having them named different
things. So basically I think you want to translate the type= into a
string for the old_X= and X=...
That actually makes a bit more sense, and we could do away with the
type= field since the Xns= fields are self-describing.
Any hints on the timing issues mentioned in one of the notes? I'm
missing initial mntns and netns messages.
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
auditd 2.0.5 and 2.2 log format changes
Hello, I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. Is there any other log format changes between two versions? PS: I execute /sbin/ausearch -i -if /var/log/audit/audit.log command before to start log processing. Thanks in advance. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
On Tue, 20 May 2014 18:18:14 +0300 Ismail Yenigul ismailyeni...@gmail.com wrote: I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. This is not related to auditd. This is a change in the kernel. Auditd just distributes events to disk and other applications. Is there any other log format changes between two versions? There are likely differences in the kernels (and possibly user space apps). I have no idea what they are. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
Thanks for prompt reply. The kernel versions are very close. Redhat: 2.6.32-431.11.2.el6.x86_64 Suse: 2.6.37.1-1.2-desktop Is there any change in audit.rules format? Have a nice days. 2014-05-20 18:31 GMT+03:00 Steve Grubb sgr...@redhat.com: On Tue, 20 May 2014 18:18:14 +0300 Ismail Yenigul ismailyeni...@gmail.com wrote: I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. This is not related to auditd. This is a change in the kernel. Auditd just distributes events to disk and other applications. Is there any other log format changes between two versions? There are likely differences in the kernels (and possibly user space apps). I have no idea what they are. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
On Tue, 2014-05-20 at 18:35 +0300, Ismail Yenigul wrote: Thanks for prompt reply. The kernel versions are very close. Not really. RHEL kernels are vastly different than the old 2.6.32 kernel. In this case, the RHEL kernel gives some very very new information which didn't exist back in 2.6.37. Aka the 2.6.32 rhel kernel is 'newer' than the 2.6.37 suse kernel. Does that make sense? Redhat: 2.6.32-431.11.2.el6.x86_64 Suse: 2.6.37.1-1.2-desktop I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. This is a new key=value pair which tells your something about this particular name record. Imagine you called rename() and placed on file on top of another existing file. In old kernels you'd end up with about 4 different audit names. Old parent dir, new parent dir, old file moving, new file being unlink() because of the rename() on top of it. This field is supposed to help you figure out which of these audit names goes with which part of the syscall. Make sense? -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
Thank you for valuable details. We will see what will happen in the field By the way, do you have a plan to use Solaris bsm style output. All info stored in a single line in bsm output. This is more human friendly output.. But redhat auditd create multi lines and every syscall has different number of lines with different number of fields in every line. Thanks 20 May 2014 20:02 tarihinde Eric Paris epa...@redhat.com yazdı: On Tue, 2014-05-20 at 18:35 +0300, Ismail Yenigul wrote: Thanks for prompt reply. The kernel versions are very close. Not really. RHEL kernels are vastly different than the old 2.6.32 kernel. In this case, the RHEL kernel gives some very very new information which didn't exist back in 2.6.37. Aka the 2.6.32 rhel kernel is 'newer' than the 2.6.37 suse kernel. Does that make sense? Redhat: 2.6.32-431.11.2.el6.x86_64 Suse: 2.6.37.1-1.2-desktop I have a scipt to correlate(for user friendly report) auditd 2.2 version logs. It works on RedHat. We have suse 11.4 server running audit 2.0.5 version . I could not see any major log format difference between two version. I see that there is nametype=NORMAL field difference at the end of each line for version 2.2. This is a new key=value pair which tells your something about this particular name record. Imagine you called rename() and placed on file on top of another existing file. In old kernels you'd end up with about 4 different audit names. Old parent dir, new parent dir, old file moving, new file being unlink() because of the rename() on top of it. This field is supposed to help you figure out which of these audit names goes with which part of the syscall. Make sense? -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: auditd 2.0.5 and 2.2 log format changes
On Tue, 20 May 2014 21:23:59 +0300 Ismail Yenigul ismailyeni...@gmail.com wrote: By the way, do you have a plan to use Solaris bsm style output. All info stored in a single line in bsm output. The simple answer, no. The deisgn of the linux audit system is different than the Solaris audit system. The multiple lines comes from different parts of the kernel contributing what it knows about the syscall once its been determined to be an event of interest. This is more human friendly output. There are some plans to make the out easier to understand. Its just that there are other problems that need fixing before work can start on that. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
