Re: [RFC PATCH V1 00/12] audit: implement container id
On Sun, 2018-03-04 at 22:31 -0500, Richard Guy Briggs wrote: > On 2018-03-04 16:55, Mimi Zohar wrote: > > On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote: > > > Implement audit kernel container ID. > > > > > > This patchset is a preliminary RFC based on the proposal document (V3) > > > posted: > > > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html > > > > > > The first patch implements the proc fs write to set the audit container > > > ID of a process, emitting an AUDIT_CONTAINER record. > > > > > > The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO > > > if a container ID is present on a task. > > > > > > The third adds filtering to the exit, exclude and user lists. > > > > > > The 4th, implements reading the container ID from the proc filesystem > > > for debugging. This isn't planned for upstream inclusion. > > > > > > The 5th adds signal and ptrace support. > > > > > > The 6th attempts to create a local audit context to be able to bind a > > > standalone record with the container ID record. > > > > > > The 7th, 8th, 9th, 10th patches add container ID records to standalone > > > records. Some of these may end up being syscall auxiliary records and > > > won't need this specific support since they'll be supported via > > > syscalls. > > > > > > The 11th is a temporary workaround due to the AUDIT_CONTAINER records > > > not showing up as do AUDIT_LOGIN records. I suspect this is due to its > > > range (1000 vs 1300), but the intent is to solve it. > > > > > > The 12th adds debug information not intended for upstream for those > > > brave souls wanting to tinker with it in this early state. > > > > > > Feedback please! > > > > Which tree can this patch set be applied to? > > git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next Thanks, that worked. In case anyone else is trying to apply these patches to a 4.16.0-rc based kernel, commit 4e7e3adbba52 ("Expand various INIT_* macros and remove") moved .sessionid to init/init_task.c. Mimi
Re: [RFC PATCH V1 00/12] audit: implement container id
On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote: > Implement audit kernel container ID. > > This patchset is a preliminary RFC based on the proposal document (V3) > posted: > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html > > The first patch implements the proc fs write to set the audit container > ID of a process, emitting an AUDIT_CONTAINER record. > > The second implements an auxiliary syscall record AUDIT_CONTAINER_INFO > if a container ID is present on a task. > > The third adds filtering to the exit, exclude and user lists. > > The 4th, implements reading the container ID from the proc filesystem > for debugging. This isn't planned for upstream inclusion. > > The 5th adds signal and ptrace support. > > The 6th attempts to create a local audit context to be able to bind a > standalone record with the container ID record. > > The 7th, 8th, 9th, 10th patches add container ID records to standalone > records. Some of these may end up being syscall auxiliary records and > won't need this specific support since they'll be supported via > syscalls. > > The 11th is a temporary workaround due to the AUDIT_CONTAINER records > not showing up as do AUDIT_LOGIN records. I suspect this is due to its > range (1000 vs 1300), but the intent is to solve it. > > The 12th adds debug information not intended for upstream for those > brave souls wanting to tinker with it in this early state. > > Feedback please! Which tree can this patch set be applied to? Mimi > Here's a quick and dirty test script: > echo 123455 > /proc/$$/containerid; echo $? > sleep 4& > child=$!; sleep 1 > echo 18446744073709551615 > /proc/$child/containerid; echo $? > echo 123456 > /proc/$child/containerid; echo $? > echo 123457 > /proc/$child/containerid; echo $? > sleep 1 > ausearch -ts recent |grep " contid=18446744073709551615"; echo $? > ausearch -ts recent |grep " contid=123456"; echo $? > ausearch -ts recent |grep " contid=123457"; echo $? > echo self:$$ contid:$( cat /proc/$$/containerid) > echo child:$child contid:$( cat /proc/$child/containerid) > > containerid=123458 > key=tmpcontainerid > auditctl -a exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F > key=$key || echo failed to add containerid filter rule > bash -c "sleep 1; echo test > /tmp/$key"& > child=$! > echo $containerid > /proc/$child/containerid > sleep 2 > rm -f /tmp/$key > ausearch -ts recent -k $key || echo failed to find CONTAINER_INFO record > auditctl -d exit,always -F dir=/tmp -F perm=wa -F containerid=$containerid -F > key=$key || echo failed to add containerid filter rule > > See: > https://github.com/linux-audit/audit-kernel/issues/32 > https://github.com/linux-audit/audit-userspace/issues/40 > https://github.com/linux-audit/audit-testsuite/issues/64 > > Richard Guy Briggs (12): > audit: add container id > audit: log container info of syscalls > audit: add containerid filtering > audit: read container ID of a process > audit: add containerid support for ptrace and signals > audit: add support for non-syscall auxiliary records > audit: add container aux record to watch/tree/mark > audit: add containerid support for tty_audit > audit: add containerid support for config/feature/user records > audit: add containerid support for seccomp and anom_abend records > debug audit: add container id > debug! audit: add container id > > drivers/tty/tty_audit.c| 5 +- > fs/proc/base.c | 63 +++ > include/linux/audit.h | 36 +++ > include/linux/init_task.h | 4 +- > include/linux/sched.h | 1 + > include/uapi/linux/audit.h | 9 ++- > kernel/audit.c | 74 +++--- > kernel/audit.h | 3 + > kernel/audit_fsnotify.c| 5 +- > kernel/audit_tree.c| 5 +- > kernel/audit_watch.c | 33 +- > kernel/auditfilter.c | 52 ++- > kernel/auditsc.c | 154 > +++-- > 13 files changed, 408 insertions(+), 36 deletions(-) >
Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map
On Thu, 2017-08-31 at 13:56 -0700, Chenbo Feng wrote: > From: Chenbo Feng > > Introduce a pointer into struct bpf_map to hold the security information > about the map. The actual security struct varies based on the security > models implemented. Place the LSM hooks before each of the unrestricted > eBPF operations, the map_update_elem and map_delete_elem operations are > checked by security_map_modify. The map_lookup_elem and map_get_next_key > operations are checked by securtiy_map_read. > > Signed-off-by: Chenbo Feng > --- > include/linux/bpf.h | 3 +++ > kernel/bpf/syscall.c | 28 > 2 files changed, 31 insertions(+) > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > index b69e7a5869ff..ca3e6ff7091d 100644 > --- a/include/linux/bpf.h > +++ b/include/linux/bpf.h > @@ -53,6 +53,9 @@ struct bpf_map { > struct work_struct work; > atomic_t usercnt; > struct bpf_map *inner_map_meta; > +#ifdef CONFIG_SECURITY > + void *security; > +#endif > }; > > /* function argument constraints */ > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index 045646da97cc..b15580bcf3b1 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -279,6 +279,10 @@ static int map_create(union bpf_attr *attr) > if (err) > return -EINVAL; > > + err = security_map_create(); > + if (err) > + return -EACCES; Any reason not to just return err? Mimi > + > /* find map type and init map: hashtable vs rbtree vs bloom vs ... */ > map = find_and_alloc_map(attr); > if (IS_ERR(map)) > @@ -291,6 +295,10 @@ static int map_create(union bpf_attr *attr) > if (err) > goto free_map_nouncharge; > > + err = security_post_create(map); > + if (err < 0) > + goto free_map; > + > err = bpf_map_alloc_id(map); > if (err) > goto free_map; > @@ -410,6 +418,10 @@ static int map_lookup_elem(union bpf_attr *attr) > if (IS_ERR(map)) > return PTR_ERR(map); > > + err = security_map_read(map); > + if (err) > + return -EACCES; > + > key = memdup_user(ukey, map->key_size); > if (IS_ERR(key)) { > err = PTR_ERR(key); > @@ -490,6 +502,10 @@ static int map_update_elem(union bpf_attr *attr) > if (IS_ERR(map)) > return PTR_ERR(map); > > + err = security_map_modify(map); > + if (err) > + return -EACCES; > + > key = memdup_user(ukey, map->key_size); > if (IS_ERR(key)) { > err = PTR_ERR(key); > @@ -573,6 +589,10 @@ static int map_delete_elem(union bpf_attr *attr) > if (IS_ERR(map)) > return PTR_ERR(map); > > + err = security_map_modify(map); > + if (err) > + return -EACCES; > + > key = memdup_user(ukey, map->key_size); > if (IS_ERR(key)) { > err = PTR_ERR(key); > @@ -616,6 +636,10 @@ static int map_get_next_key(union bpf_attr *attr) > if (IS_ERR(map)) > return PTR_ERR(map); > > + err = security_map_read(map); > + if (err) > + return -EACCES; > + > if (ukey) { > key = memdup_user(ukey, map->key_size); > if (IS_ERR(key)) { > @@ -935,6 +959,10 @@ static int bpf_prog_load(union bpf_attr *attr) > if (CHECK_ATTR(BPF_PROG_LOAD)) > return -EINVAL; > > + err = security_prog_load(); > + if (err) > + return -EACCES; > + > if (attr->prog_flags & ~BPF_F_STRICT_ALIGNMENT) > return -EINVAL; >