forked from linux-audit/audit-userspace
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
libaudit: add support to get and set capcontid on a task
Add support to be able to set a capability to allow a task to set the audit container identifier of descendants. See: linux-audit#51 See: linux-audit/audit-kernel#90 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Add the audit_get_capcontid() and audit_set_capcontid() calls analogous to CAP_AUDIT_CONTROL for descendant user namespaces. Signed-off-by: Richard Guy Briggs <[email protected]>
- Loading branch information
Showing
11 changed files
with
129 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
.TH "AUDIT_GET_CAPCONTID" "26" "Aug 2019" "Red Hat" "Linux Audit API" | ||
.SH NAME | ||
audit_get_capcontid \- Get a program's capability container id value | ||
.SH SYNOPSIS | ||
.B #include <libaudit.h> | ||
.sp | ||
int audit_get_capcontid(pid_t pid); | ||
|
||
.SH DESCRIPTION | ||
This function returns the pid task's audit capability container identifier attribute. | ||
|
||
.SH "RETURN VALUE" | ||
|
||
This function returns the audit capability container identifier value if it is implemented. It will return a \-1 if the audit capability container identifier is unavailable. | ||
|
||
.SH "ERRORS" | ||
|
||
This function returns \-2 on failure. Additionally, in the event of a real error, errno would be set. The function can set errno based on failures of open, read, or strtoull. | ||
|
||
.SH "SEE ALSO" | ||
|
||
.BR audit_set_capcontid (3). | ||
|
||
.SH AUTHOR | ||
Richard Guy Briggs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
.TH "AUDIT_SET_CAPCONTID" "26" "Aug 2019" "Red Hat" "Linux Audit API" | ||
.SH NAME | ||
audit_set_capcontid \- Set a program's capability container id value | ||
.SH SYNOPSIS | ||
.B #include <libaudit.h> | ||
.sp | ||
int audit_set_capcontid(pid_t pid, uint32_t capcontid); | ||
|
||
.SH "DESCRIPTION" | ||
|
||
This function sets the pid task's attribute capability container id with the value of capcontid. The capcontid value may only be set by programs with the CAP_AUDIT_CONTROL capability in the initial user namespace or with capcontid. This normally means the root account or root in a container. | ||
.sp | ||
The capcontid value is part of the task structure and is inheritted by child processes within a user namespace. It is used to enable the capability to set container identifier of a child task in a descendent user namespace. Container orchestrator/engines should set this value only on children it wishes to be able to set audit container identifiers. | ||
|
||
.SH "RETURN VALUE" | ||
|
||
This function returns 0 on success and non-zero otherwise. | ||
|
||
.SH "SEE ALSO" | ||
|
||
.BR audit_get_capcontid (3). | ||
|
||
.SH AUTHOR | ||
Richard Guy Briggs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters