Re: [RFC PATCH V1 01/12] audit: add container id

On 04/18/2018 03:23 PM, Richard Guy Briggs wrote: On 2018-04-18 14:45, Stefan Berger wrote: On 03/15/2018 11:58 PM, Richard Guy Briggs wrote: On 2018-03-15 16:27, Stefan Berger wrote: On 03/01/2018 02:41 PM, Richard Guy Briggs wrote: Implement the proc fs write to set the audit container ID

Re: [RFC PATCH V1 01/12] audit: add container id

On 03/15/2018 11:58 PM, Richard Guy Briggs wrote: On 2018-03-15 16:27, Stefan Berger wrote: On 03/01/2018 02:41 PM, Richard Guy Briggs wrote: Implement the proc fs write to set the audit container ID of a process, emitting an AUDIT_CONTAINER record to document the event. This is a write from

Re: [RFC PATCH V1 01/12] audit: add container id

On 2018-04-18 15:39, Stefan Berger wrote: > On 04/18/2018 03:23 PM, Richard Guy Briggs wrote: > > On 2018-04-18 14:45, Stefan Berger wrote: > > > On 03/15/2018 11:58 PM, Richard Guy Briggs wrote: > > > > On 2018-03-15 16:27, Stefan Berger wrote: > > > > > On 03/01/2018 02:41 PM, Richard Guy Briggs

Re: [RFC PATCH V1 01/12] audit: add container id

On 2018-04-18 14:45, Stefan Berger wrote: > On 03/15/2018 11:58 PM, Richard Guy Briggs wrote: > > On 2018-03-15 16:27, Stefan Berger wrote: > > > On 03/01/2018 02:41 PM, Richard Guy Briggs wrote: > > > > Implement the proc fs write to set the audit container ID of a process, > > > > emitting an

Re: [RFC PATCH ghak32 V2 02/13] audit: check children and threading before allowing containerid

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Check if a task has existing children or co-threads and refuse to set > the container ID if either are present. Failure to check this could > permit games where a child scratches its parent's back to work around >

Re: [RFC PATCH ghak32 V2 04/13] audit: add containerid filtering

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Implement container ID filtering using the AUDIT_CONTAINERID field name > to send an 8-character string representing a u64 since the value field > is only u32. > > Sending it as two u32 was considered, but gathering and

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Implement the proc fs write to set the audit container ID of a process, > emitting an AUDIT_CONTAINER record to document the event. > > This is a write from the container orchestrator task to a proc entry of > the form

Re: [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Add container ID support to ptrace and signals. In particular, the "op" > field provides a way to label the auxiliary record to which it is > associated. > > Signed-off-by: Richard Guy Briggs > --- >

Re: [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Standalone audit records have the timestamp and serial number generated > on the fly and as such are unique, making them standalone. This new > function audit_alloc_local() generates a local audit context that will >

Re: [RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Add container ID auxiliary record to mark, watch and tree rule > configuration standalone records. > > Signed-off-by: Richard Guy Briggs > --- > kernel/audit_fsnotify.c | 5 - >

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On Wed, Apr 18, 2018 at 8:41 PM, Casey Schaufler wrote: > On 4/18/2018 4:47 PM, Paul Moore wrote: >> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: >>> Implement the proc fs write to set the audit container ID of a process, >>> emitting an

Re: [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Add container ID auxiliary records to secure computing and abnormal end > standalone records. > > Signed-off-by: Richard Guy Briggs > --- > kernel/auditsc.c | 10 -- > 1 file changed, 8

Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Audit events could happen in a network namespace outside of a task > context due to packets received from the net that trigger an auditing > rule prior to being associated with a running task. The network > namespace

Re: [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Add container ID auxiliary record(s) to NETFILTER_PKT event standalone > records. Iterate through all potential container IDs associated with a > network namespace. > > Signed-off-by: Richard Guy Briggs

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On 4/18/2018 4:47 PM, Paul Moore wrote: > On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: >> Implement the proc fs write to set the audit container ID of a process, >> emitting an AUDIT_CONTAINER record to document the event. >> ... >> >> diff --git

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On 4/18/2018 5:46 PM, Paul Moore wrote: > On Wed, Apr 18, 2018 at 8:41 PM, Casey Schaufler > wrote: >> On 4/18/2018 4:47 PM, Paul Moore wrote: >>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: Implement the proc fs write to set the

Re: [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > Add container ID auxiliary records to configuration change, feature set change > and user generated standalone records. > > Signed-off-by: Richard Guy Briggs > --- > kernel/audit.c | 50