RFE: test for audit container ID functionality #64
Assignees
Labels
Comments
|
Here's an updated test script: |
pcmoore
added
enhancement
priority/medium
pending/review
pending/revision
pending/dependency
and removed
pending/review
labels
|
Just for the record. We agreed that I will assist Richard with transforming bash test script mentioned above into Perl so that it fits into audit regression test suite. |
pcmoore
changed the title
|
Great, thanks for letting me know. I went ahead and assigned this task to both of you :) |
|
Test netfilter packet audit container identifier auxiliary records: |
|
Just out of curiosity, aforementioned test is currently the only way to test container ID, is that correct? Because no container tool / orchestrator [*] supports this yet. I just want to make sure I understand it well - first, we need to have this container-id functionality in kernel. Then each orchestration willing to support container auditing must implement it (ie. create container id associated with container process). Now suppose I have a Fedora machine with a container and I will trigger audit event from that container. What will happen? Will I see the event on host machine? What happens if my host machine does have container-id support, I will create container-id in /proc/ and trigger event from the container? I am sorry for such silly questions. |
|
On 2018-08-03 08:01, Ondrej Moris wrote:
Just out of curiosity, aforementioned test is currently the only way
to test container ID, is that correct? Because no container tool /
orchestrator [*] supports this yet. I just want to make sure I
understand it well - first, we need to have this container-id
functionality in kernel. Then each orchestration willing to support
container auditing must implement it (ie. create container id
associated with container process).
Correct.
Now suppose I have a Fedora machine with a container and I will
trigger audit event from that container. What will happen? Will I see
the event on host machine? What happens if my host machine does have
container-id support, I will create container-id in
/proc/<containerpid> and trigger event from the container?
It will appear on the host machine if the host machine has any audit
rules that are triggered by that event.
If your host machine had audit container identifier support then each
task listed in /proc will have a "audit_containerid" file to which you
would write as required a u64 to register that audit container
identifier with that task and then have that task trigger an event.
I am sorry for such silly questions.
These are not silly questions. No appology necessary.
|
fcicq
pushed a commit
to fcicq/chromiumos-third_party-kernel
that referenced
this issue
Jan 20, 2019
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce a record such as this: type=CONTAINER_ID msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes The "op" field indicates an initial set. The "pid" to "ses" fields are the orchestrator while the "opid" field is the object's PID, the process being "contained". Old and new audit container identifier values are given in the "contid" fields, while res indicates its success. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. See: linux-audit/audit-kernel#90 See: linux-audit/audit-userspace#51 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> (am from https://patchwork.kernel.org/patch/10551315/) BUG=chromium:918980 TEST=Build, boot and GCP internal testing. Changed the return value of the default audit_get_contid as the kuid_t is a 32-bit value where the other version is a u64 failing compilation on 32-bit kernels. Signed-off-by: Thomas Garnier <[email protected]> Change-Id: Iee61e96d015715f1dde24f92c230f14410cb5a79 Reviewed-on: https://chromium-review.googlesource.com/1379655 Reviewed-by: Dmitry Torokhov <[email protected]> Reviewed-by: Robert Kolchmeyer <[email protected]> Reviewed-by: Kees Cook <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Apr 9, 2019
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Apr 10, 2019
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Apr 10, 2019
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Apr 10, 2019
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Apr 10, 2019
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Apr 10, 2019
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Apr 10, 2019
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Apr 10, 2019
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
|
V1 PR: #83 |
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
May 28, 2019
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Jun 26, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Jun 27, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
|
Forced update of testsuite to accomodate nesting features for v9 kernel and userspace |
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jun 27, 2020
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce a record such as this: type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615 The "op" field indicates an initial set. The "opid" field is the object's PID, the process being "contained". New and old audit container identifier values are given in the "contid" fields. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. Store the audit container identifier in a refcounted kernel object that is added to the master list of audit container identifiers. This will allow multiple container orchestrators/engines to work on the same machine without danger of inadvertantly re-using an existing identifier. It will also allow an orchestrator to inject a process into an existing container by checking if the original container owner is the one injecting the task. A hash table list is used to optimize searches. Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jun 27, 2020
Create a new audit record AUDIT_CONTAINER_ID to document the audit container identifier of a process if it is present. Called from audit_log_exit(), syscalls are covered. Include target_cid references from ptrace and signal. A sample raw event: type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid" type=CWD msg=audit(1519924845.499:257): cwd="/root" type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964 type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458 Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jun 27, 2020
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jun 27, 2020
This also adds support to qualify NETFILTER_PKT records. Audit events could happen in a network namespace outside of a task context due to packets received from the net that trigger an auditing rule prior to being associated with a running task. The network namespace could be in use by multiple containers by association to the tasks in that network namespace. We still want a way to attribute these events to any potential containers. Keep a list per network namespace to track these audit container identifiiers. Add/increment the audit container identifier on: - initial setting of the audit container identifier via /proc - clone/fork call that inherits an audit container identifier - unshare call that inherits an audit container identifier - setns call that inherits an audit container identifier Delete/decrement the audit container identifier on: - an inherited audit container identifier dropped when child set - process exit - unshare call that drops a net namespace - setns call that drops a net namespace Add audit container identifier auxiliary record(s) to NETFILTER_PKT event standalone records. Iterate through all potential audit container identifiers associated with a network namespace. Please see the github audit kernel issue for contid net support: linux-audit/audit-kernel#92 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Sep 29, 2020
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Sep 29, 2020
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Sep 29, 2020
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Nov 18, 2020
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 18, 2020
This defines the message number for the audit container identifier registration record should the kernel headers not be up to date, gives the record number a name for printing and allows the record to be interpreted since it is in the 1000 range like AUDIT_LOGIN. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 18, 2020
This defines the message number for the audit container identifier information record should the kernel headers not be up to date and gives the record number a name for printing. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 18, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 18, 2020
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Dec 22, 2020
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce a record such as this: time->Thu Nov 26 10:24:46 2020 type=PROCTITLE msg=audit(1606404286.956:174546): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374 type=SYSCALL msg=audit(1606404286.956:174546): arch=c000003e syscall=1 success=yes exit=19 a0=6 a1=557446a6a650 a2=13 a3=8 items=0 ppid=6827 pid=8724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CONTAINER_OP msg=audit(1606404286.956:174546): op=set opid=8771 contid=4112973747854606336 old-contid=-1 The "op" field indicates an initial set. The "opid" field is the object's PID, the process being "contained". New and old audit container identifier values are given in the "contid" fields. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. Store the audit container identifier in a refcounted kernel object that is added to the master list of audit container identifiers. This will allow multiple container orchestrators/engines to work on the same machine without danger of inadvertantly re-using an existing identifier. It will also allow an orchestrator to inject a process into an existing container by checking if the original container owner is the one injecting the task. A hash table list is used to optimize searches. audit: log drop of contid on exit of last task Since the life of each audit container indentifier is being tracked, we can match the creation event with the destruction event. Log the destruction of the audit container identifier when the last process in that container exits. Add support for reading the audit container identifier from the proc filesystem. This is a read from the proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the task whose audit container identifier is sought. The read expects up to a u64 value (unset: 18446744073709551615). This read requires CAP_AUDIT_CONTROL. Add an entry to Documentation/ABI for /proc/$pid/audit_containerid. Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Dec 22, 2020
Create a new audit record AUDIT_CONTAINER_ID to document the audit container identifier of a process if it is present. Called from audit_log_exit(), syscalls are covered. Include target_cid references from ptrace and signal. A sample raw event: time->Thu Nov 26 10:24:40 2020 type=PROCTITLE msg=audit(1606404280.226:174542): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374 type=PATH msg=audit(1606404280.226:174542): item=1 name="/tmp/audit-testsuite-dir-8riQ/testsuite-1606404267-WNldVJCr" inode=428 dev=00:1f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1606404280.226:174542): item=0 name="/tmp/audit-testsuite-dir-8riQ/" inode=427 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1606404280.226:174542): cwd="/root/rgb/git/audit-testsuite/tests" type=SYSCALL msg=audit(1606404280.226:174542): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=557446bd5f10 a2=80241 a3=1b6 items=2 ppid=8724 pid=8758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1606404267-WNldVJCr" record=1 type=CONTAINER_ID msg=audit(1606404280.226:174542): record=1 contid=527940429489930240 Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Steve Grubb <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Dec 22, 2020
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Dec 22, 2020
This also adds support to qualify NETFILTER_PKT records. Audit events could happen in a network namespace outside of a task context due to packets received from the net that trigger an auditing rule prior to being associated with a running task. The network namespace could be in use by multiple containers by association to the tasks in that network namespace. We still want a way to attribute these events to any potential containers. Keep a list per network namespace to track these audit container identifiiers. Add/increment the audit container identifier on: - initial setting of the audit container identifier via /proc - clone/fork call that inherits an audit container identifier - unshare call that inherits an audit container identifier - setns call that inherits an audit container identifier Delete/decrement the audit container identifier on: - an inherited audit container identifier dropped when child set - process exit - unshare call that drops a net namespace - setns call that drops a net namespace Add audit container identifier auxiliary record(s) to NETFILTER_PKT event standalone records. Iterate through all potential audit container identifiers associated with a network namespace. Sample event: type=NETFILTER_PKT msg=audit(2020-11-26 10:24:47.984:174549) : mark=0x15766399 saddr=127.0.0.1 daddr=127.0.0.1 proto=icmp record=1 type=CONTAINER_ID msg=audit(2020-11-26 10:24:47.984:174549) : record=1 contid=4112973747854606336,1916436506412318720 Please see the github audit kernel issue for contid net support: linux-audit/audit-kernel#92 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-testsuite
that referenced
this issue
Dec 24, 2020
See: linux-audit#64 Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 12, 2021
Implement the proc fs write to set the audit container identifier of a process, emitting an AUDIT_CONTAINER_OP record to document the event. This is a write from the container orchestrator task to a proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the newly created task that is to become the first task in a container, or an additional task added to a container. The write expects up to a u64 value (unset: 18446744073709551615). The writer must have capability CAP_AUDIT_CONTROL. This will produce an event such as this with the new CONTAINER_OP record: time->Thu Nov 26 10:24:27 2020 type=PROCTITLE msg=audit(1606404267.551:174524): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374 type=SYSCALL msg=audit(1606404267.551:174524): arch=c000003e syscall=1 success=yes exit=20 a0=6 a1=557446aa9180 a2=14 a3=100 items=0 ppid=6827 pid=8724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CONTAINER_OP msg=audit(1606404267.551:174524): op=set opid=8730 contid=4515122123205246976 old-contid=-1 The "op" field indicates an initial set. The "opid" field is the object's PID, the process being "contained". New and old audit container identifier values are given in the "contid" fields. It is not permitted to unset the audit container identifier. A child inherits its parent's audit container identifier. Store the audit container identifier in a refcounted kernel object that is added to the master list of audit container identifiers. This will allow multiple container orchestrators/engines to work on the same machine without danger of inadvertantly re-using an existing identifier. It will also allow an orchestrator to inject a process into an existing container by checking if the original container owner is the one injecting the task. A hash table list is used to optimize searches. Since the life of each audit container indentifier is being tracked, we match the creation event with the destruction event. Log the drop of the audit container identifier when the last process in that container exits. Add support for reading the audit container identifier from the proc filesystem. This is a read from the proc entry of the form /proc/PID/audit_containerid where PID is the process ID of the task whose audit container identifier is sought. The read expects up to a u64 value (unset: (u64)-1). This read requires CAP_AUDIT_CONTROL. Add an entry to Documentation/ABI for /proc/$pid/audit_containerid. Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 12, 2021
Create a new audit record AUDIT_CONTAINER_ID to document the audit container identifier of a process if it is present. Called from audit_log_exit(), syscalls are covered. Include target_cid references from ptrace and signal. A sample raw event: time->Thu Nov 26 10:24:40 2020 type=PROCTITLE msg=audit(1606404280.226:174542): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374 type=PATH msg=audit(1606404280.226:174542): item=1 name="/tmp/audit-testsuite-dir-8riQ/testsuite-1606404267-WNldVJCr" inode=428 dev=00:1f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1606404280.226:174542): item=0 name="/tmp/audit-testsuite-dir-8riQ/" inode=427 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1606404280.226:174542): cwd="/root/rgb/git/audit-testsuite/tests" type=SYSCALL msg=audit(1606404280.226:174542): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=557446bd5f10 a2=80241 a3=1b6 items=2 ppid=8724 pid=8758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1606404267-WNldVJCr" record=1 type=CONTAINER_ID msg=audit(1606404280.226:174542): record=1 contid=527940429489930240 Please see the github audit kernel issue for the main feature: linux-audit/audit-kernel#90 Please see the github audit userspace issue for supporting additions: linux-audit/audit-userspace#51 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 12, 2021
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 12, 2021
This also adds support to qualify NETFILTER_PKT records. Audit events could happen in a network namespace outside of a task context due to packets received from the net that trigger an auditing rule prior to being associated with a running task. The network namespace could be in use by multiple containers by association to the tasks in that network namespace. We still want a way to attribute these events to any potential containers. Keep a list per network namespace to track these audit container identifiiers. Add/increment the audit container identifier on: - initial setting of the audit container identifier via /proc - clone/fork call that inherits an audit container identifier - unshare call that inherits an audit container identifier - setns call that inherits an audit container identifier Delete/decrement the audit container identifier on: - an inherited audit container identifier dropped when child set - process exit - unshare call that drops a net namespace - setns call that drops a net namespace Add audit container identifier auxiliary record(s) to NETFILTER_PKT event standalone records. Iterate through all potential audit container identifiers associated with a network namespace. Add the "record=" field to the A sample event: time->Thu Nov 26 10:24:47 2020 type=NETFILTER_PKT msg=audit(1606404287.984:174549): mark=0x15766399 saddr=127.0.0.1 daddr=127.0.0.1 proto=1 record=1 type=CONTAINER_ID msg=audit(1606404287.984:174549): record=1 contid=4112973747854606336,1916436506412318720 Please see the github audit kernel issue for contid net support: linux-audit/audit-kernel#92 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Test for kernel audit container id functionality:
See: linux-audit/audit-kernel#32
See: linux-audit/audit-kernel#90
See: linux-audit/audit-kernel#91
See: linux-audit/audit-kernel#92
See: linux-audit/audit-userspace#40
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
The text was updated successfully, but these errors were encountered: