Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: test for audit container ID functionality #64

Open
rgbriggs opened this issue Mar 1, 2018 · 10 comments · May be fixed by #91
Open

RFE: test for audit container ID functionality #64

rgbriggs opened this issue Mar 1, 2018 · 10 comments · May be fixed by #91

Comments

@rgbriggs
Copy link
Member

@rgbriggs rgbriggs commented Mar 1, 2018

Test for kernel audit container id functionality:

  • prohibit unsetting
  • prohibit self-setting
  • prohibit setting again
  • prohibit without CAP_AUDIT_CONTROL
  • verify AUDIT_CONTAINER record
  • verify auditctl containerid filter
  • verify kernel AUDIT_CONTAINERID filter functionality
  • verify AUDIT_CONTAINER_INFO record

See: linux-audit/audit-kernel#32
See: linux-audit/audit-kernel#90
See: linux-audit/audit-kernel#91
See: linux-audit/audit-kernel#92
See: linux-audit/audit-userspace#40
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

@rgbriggs
Copy link
Member Author

@rgbriggs rgbriggs commented Mar 1, 2018

Here's an updated test script:

#!/bin/sh

#test self-set, should succeed
echo 123455 > /proc/$$/audit_containerid || echo self-write should have succeeded
ausearch -ts boot |grep " contid=123455" || echo self-write success record should appear

#setup for several tests
sleep 5&
child=$!; sleep 1

#test unset, should fail
echo 18446744073709551615 > /proc/$child/audit_containerid && echo write unset should have failed
ausearch -ts boot |grep " contid=18446744073709551615" || echo write unset failure record should appear

#test first set, should pass
echo 123456 > /proc/$child/audit_containerid || echo write set should have succeeded
ausearch -ts boot |grep " contid=123456" || echo write set record success should appear

#test set again, should fail
echo 123457 > /proc/$child/audit_containerid && echo write set again should have failed
ausearch -ts boot |grep " contid=123457" || echo write set again record failure should appear

#test set child with child, should fail
#FIXME, doesn't spawn child of child
bash -c "sleep 1"&
child2=$!
echo 123458 > /proc/$child2/audit_containerid && echo write set child with child should fail
ausearch -ts boot |grep " contid=123458" || echo write set child with child failure record should appear
echo self:$$ contid:$(cat /proc/$$/audit_containerid)
echo child:$child contid:$(cat /proc/$child/audit_containerid)
echo child2:$child2 contid:$(cat /proc/$child2/audit_containerid)

#test filter on containerid
containerid=123459
key=tmpcontainerid
auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$containerid -F key=$key || echo failed to add containerid filter rule
perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); close(\$tmpfile);" &
child3=$!
echo $containerid > /proc/$child3/audit_containerid || echo failed to set containerid on file open task
sleep 2
rm -f /tmp/$key
ausearch -i -ts boot -k $key || echo failed to find CONTAINER record
auditctl -d exit,always -F dir=/tmp -F perm=wa -F contid=$containerid -F key=$key || echo failed to del containerid filter rule
@The-Mule
Copy link
Member

@The-Mule The-Mule commented Jul 17, 2018

Just for the record. We agreed that I will assist Richard with transforming bash test script mentioned above into Perl so that it fits into audit regression test suite.

@pcmoore pcmoore changed the title RFE: test for container id functionality RFE: test for audit container ID functionality Jul 17, 2018
@pcmoore
Copy link
Member

@pcmoore pcmoore commented Jul 17, 2018

Great, thanks for letting me know. I went ahead and assigned this task to both of you :)

@rgbriggs
Copy link
Member Author

@rgbriggs rgbriggs commented Jul 31, 2018

Test netfilter packet audit container identifier auxiliary records:

#test multiple containers on one netns
# create two child processes
sleep 5 &
child4=$!
containerid1=123451
echo $containerid1 > /proc/$child4/audit_containerid || echo failed to set containerid on child4
sleep 5 &
child5=$!
containerid2=123452
echo $containerid2 > /proc/$child5/audit_containerid || echo failed to set containerid on child5
# set up audit rules in netfilter and send a test packet
iptables -I INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -I INPUT  -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
sleep 1;
#ping -c 1 127.0.0.1
bash -c "ping -q -c 1 127.0.0.1 >/dev/null 2>&1"
sleep 1;
iptables -D INPUT -i lo -p icmp --icmp-type echo-request -j AUDIT --type accept
iptables -D INPUT  -t mangle -i lo -p icmp --icmp-type echo-request -j MARK --set-mark 0x12345555
ausearch -i -m NETFILTER_PKT -ts recent|grep mark=0x12345555 || echo failed to find NETFILTER_PKT record
ausearch -i -m NETFILTER_PKT -ts recent|grep contid=|grep $containerid1|grep $containerid2 || echo failed to find CONTAINER record
@The-Mule
Copy link
Member

@The-Mule The-Mule commented Aug 3, 2018

Just out of curiosity, aforementioned test is currently the only way to test container ID, is that correct? Because no container tool / orchestrator [*] supports this yet. I just want to make sure I understand it well - first, we need to have this container-id functionality in kernel. Then each orchestration willing to support container auditing must implement it (ie. create container id associated with container process).

Now suppose I have a Fedora machine with a container and I will trigger audit event from that container. What will happen? Will I see the event on host machine? What happens if my host machine does have container-id support, I will create container-id in /proc/ and trigger event from the container?

I am sorry for such silly questions.

@rgbriggs
Copy link
Member Author

@rgbriggs rgbriggs commented Aug 3, 2018

fcicq pushed a commit to fcicq/chromiumos-third_party-kernel that referenced this issue Jan 20, 2019
Implement the proc fs write to set the audit container identifier of a
process, emitting an AUDIT_CONTAINER_OP record to document the event.

This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/audit_containerid where PID is the process ID of the
newly created task that is to become the first task in a container, or
an additional task added to a container.

The write expects up to a u64 value (unset: 18446744073709551615).

The writer must have capability CAP_AUDIT_CONTROL.

This will produce a record such as this:
  type=CONTAINER_ID msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes

The "op" field indicates an initial set.  The "pid" to "ses" fields are
the orchestrator while the "opid" field is the object's PID, the process
being "contained".  Old and new audit container identifier values are
given in the "contid" fields, while res indicates its success.

It is not permitted to unset the audit container identifier.
A child inherits its parent's audit container identifier.

See: linux-audit/audit-kernel#90
See: linux-audit/audit-userspace#51
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
(am from https://patchwork.kernel.org/patch/10551315/)

BUG=chromium:918980
TEST=Build, boot and GCP internal testing.

Changed the return value of the default audit_get_contid as the kuid_t
is a 32-bit value where the other version is a u64 failing compilation
on 32-bit kernels.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Change-Id: Iee61e96d015715f1dde24f92c230f14410cb5a79
Reviewed-on: https://chromium-review.googlesource.com/1379655
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 9, 2019
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Apr 10, 2019
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
@rgbriggs
Copy link
Member Author

@rgbriggs rgbriggs commented Apr 10, 2019

V1 PR: #83

rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue May 28, 2019
This defines the message number for the audit container identifier
registration record should the kernel headers not be up to date, gives
the record number a name for printing and allows the record to be
interpreted since it is in the 1000 range like AUDIT_LOGIN.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Jun 26, 2020
Add support to be able to set a capability to allow a task to set the
audit container identifier of descendants.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Jun 27, 2020
Add support to be able to set a capability to allow a task to set the
audit container identifier of descendants.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
@rgbriggs
Copy link
Member Author

@rgbriggs rgbriggs commented Jun 27, 2020

Forced update of testsuite to accomodate nesting features for v9 kernel and userspace

fengguang pushed a commit to 0day-ci/linux that referenced this issue Jun 27, 2020
Implement the proc fs write to set the audit container identifier of a
process, emitting an AUDIT_CONTAINER_OP record to document the event.

This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/audit_containerid where PID is the process ID of the
newly created task that is to become the first task in a container, or
an additional task added to a container.

The write expects up to a u64 value (unset: 18446744073709551615).

The writer must have capability CAP_AUDIT_CONTROL.

This will produce a record such as this:
  type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 contid=123456 old-contid=18446744073709551615

The "op" field indicates an initial set.  The "opid" field is the
object's PID, the process being "contained".  New and old audit
container identifier values are given in the "contid" fields.

It is not permitted to unset the audit container identifier.
A child inherits its parent's audit container identifier.

Store the audit container identifier in a refcounted kernel object that
is added to the master list of audit container identifiers.  This will
allow multiple container orchestrators/engines to work on the same
machine without danger of inadvertantly re-using an existing identifier.
It will also allow an orchestrator to inject a process into an existing
container by checking if the original container owner is the one
injecting the task.  A hash table list is used to optimize searches.

Please see the github audit kernel issue for the main feature:
  linux-audit/audit-kernel#90
Please see the github audit userspace issue for supporting additions:
  linux-audit/audit-userspace#51
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Jun 27, 2020
Create a new audit record AUDIT_CONTAINER_ID to document the audit
container identifier of a process if it is present.

Called from audit_log_exit(), syscalls are covered.

Include target_cid references from ptrace and signal.

A sample raw event:
type=SYSCALL msg=audit(1519924845.499:257): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid"
type=CWD msg=audit(1519924845.499:257): cwd="/root"
type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1519924845.499:257): proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964
type=CONTAINER_ID msg=audit(1519924845.499:257): contid=123458

Please see the github audit kernel issue for the main feature:
  linux-audit/audit-kernel#90
Please see the github audit userspace issue for supporting additions:
  linux-audit/audit-userspace#51
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Jun 27, 2020
Implement audit container identifier filtering using the AUDIT_CONTID
field name to send an 8-character string representing a u64 since the
value field is only u32.

Sending it as two u32 was considered, but gathering and comparing two
fields was more complex.

The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID.

Please see the github audit kernel issue for the contid filter feature:
  linux-audit/audit-kernel#91
Please see the github audit userspace issue for filter additions:
  linux-audit/audit-userspace#40
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Jun 27, 2020
This also adds support to qualify NETFILTER_PKT records.

Audit events could happen in a network namespace outside of a task
context due to packets received from the net that trigger an auditing
rule prior to being associated with a running task.  The network
namespace could be in use by multiple containers by association to the
tasks in that network namespace.  We still want a way to attribute
these events to any potential containers.  Keep a list per network
namespace to track these audit container identifiiers.

Add/increment the audit container identifier on:
- initial setting of the audit container identifier via /proc
- clone/fork call that inherits an audit container identifier
- unshare call that inherits an audit container identifier
- setns call that inherits an audit container identifier
Delete/decrement the audit container identifier on:
- an inherited audit container identifier dropped when child set
- process exit
- unshare call that drops a net namespace
- setns call that drops a net namespace

Add audit container identifier auxiliary record(s) to NETFILTER_PKT
event standalone records.  Iterate through all potential audit container
identifiers associated with a network namespace.

Please see the github audit kernel issue for contid net support:
  linux-audit/audit-kernel#92
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Sep 29, 2020
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Sep 29, 2020
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Sep 29, 2020
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Nov 18, 2020
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Nov 26, 2020
A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.

Add support to libaudit and auditctl for the AUDIT_CONTID field to
filter based on audit container identifier.  This field is specified
with the "contid" field name on the command line.

Since it is a u64 and larger than any other numeric field, send it as a
string but do the appropriate conversions on each end in each direction.

See: linux-audit#40
See: linux-audit/audit-kernel#91
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Nov 26, 2020
Add support to be able to set a capability to allow a task to set the
audit container identifier of descendants.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Nov 26, 2020
This defines the message number for the audit container identifier
registration record should the kernel headers not be up to date, gives
the record number a name for printing and allows the record to be
interpreted since it is in the 1000 range like AUDIT_LOGIN.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Nov 26, 2020
This defines the message number for the audit container identifier
information record should the kernel headers not be up to date and gives
the record number a name for printing.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Nov 26, 2020
A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.

Add support to libaudit and auditctl for the AUDIT_CONTID field to
filter based on audit container identifier.  This field is specified
with the "contid" field name on the command line.

Since it is a u64 and larger than any other numeric field, send it as a
string but do the appropriate conversions on each end in each direction.

See: linux-audit#40
See: linux-audit/audit-kernel#91
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Nov 26, 2020
Add support to be able to set a capability to allow a task to set the
audit container identifier of descendants.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Dec 18, 2020
This defines the message number for the audit container identifier
registration record should the kernel headers not be up to date, gives
the record number a name for printing and allows the record to be
interpreted since it is in the 1000 range like AUDIT_LOGIN.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Dec 18, 2020
This defines the message number for the audit container identifier
information record should the kernel headers not be up to date and gives
the record number a name for printing.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Dec 18, 2020
A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.

Add support to libaudit and auditctl for the AUDIT_CONTID field to
filter based on audit container identifier.  This field is specified
with the "contid" field name on the command line.

Since it is a u64 and larger than any other numeric field, send it as a
string but do the appropriate conversions on each end in each direction.

See: linux-audit#40
See: linux-audit/audit-kernel#91
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs added a commit to rgbriggs/audit-userspace that referenced this issue Dec 18, 2020
Add support to be able to set a capability to allow a task to set the
audit container identifier of descendants.

See: linux-audit#51
See: linux-audit/audit-kernel#90
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Add the audit_get_capcontid() and audit_set_capcontid() calls analogous
to CAP_AUDIT_CONTROL for descendant user namespaces.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Dec 22, 2020
Implement the proc fs write to set the audit container identifier of a
process, emitting an AUDIT_CONTAINER_OP record to document the event.

This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/audit_containerid where PID is the process ID of the
newly created task that is to become the first task in a container, or
an additional task added to a container.

The write expects up to a u64 value (unset: 18446744073709551615).

The writer must have capability CAP_AUDIT_CONTROL.

This will produce a record such as this:
time->Thu Nov 26 10:24:46 2020
type=PROCTITLE msg=audit(1606404286.956:174546): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374
type=SYSCALL msg=audit(1606404286.956:174546): arch=c000003e syscall=1 success=yes exit=19 a0=6 a1=557446a6a650 a2=13 a3=8 items=0 ppid=6827 pid=8724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CONTAINER_OP msg=audit(1606404286.956:174546): op=set opid=8771 contid=4112973747854606336 old-contid=-1

The "op" field indicates an initial set.  The "opid" field is the
object's PID, the process being "contained".  New and old audit
container identifier values are given in the "contid" fields.

It is not permitted to unset the audit container identifier.
A child inherits its parent's audit container identifier.

Store the audit container identifier in a refcounted kernel object that
is added to the master list of audit container identifiers.  This will
allow multiple container orchestrators/engines to work on the same
machine without danger of inadvertantly re-using an existing identifier.
It will also allow an orchestrator to inject a process into an existing
container by checking if the original container owner is the one
injecting the task.  A hash table list is used to optimize searches.

audit: log drop of contid on exit of last task

Since the life of each audit container indentifier is being tracked, we can
match the creation event with the destruction event.  Log the destruction of
the audit container identifier when the last process in that container exits.

Add support for reading the audit container identifier from the proc
filesystem.  This is a read from the proc entry of the form
/proc/PID/audit_containerid where PID is the process ID of the task
whose audit container identifier is sought.  The read expects up to a u64 value
(unset: 18446744073709551615).  This read requires CAP_AUDIT_CONTROL.

Add an entry to Documentation/ABI for /proc/$pid/audit_containerid.

Please see the github audit kernel issue for the main feature:
  linux-audit/audit-kernel#90
Please see the github audit userspace issue for supporting additions:
  linux-audit/audit-userspace#51
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Dec 22, 2020
Create a new audit record AUDIT_CONTAINER_ID to document the audit
container identifier of a process if it is present.

Called from audit_log_exit(), syscalls are covered.

Include target_cid references from ptrace and signal.

A sample raw event:
time->Thu Nov 26 10:24:40 2020
type=PROCTITLE msg=audit(1606404280.226:174542): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374
type=PATH msg=audit(1606404280.226:174542): item=1 name="/tmp/audit-testsuite-dir-8riQ/testsuite-1606404267-WNldVJCr" inode=428 dev=00:1f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1606404280.226:174542): item=0 name="/tmp/audit-testsuite-dir-8riQ/" inode=427 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1606404280.226:174542): cwd="/root/rgb/git/audit-testsuite/tests"
type=SYSCALL msg=audit(1606404280.226:174542): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=557446bd5f10 a2=80241 a3=1b6 items=2 ppid=8724 pid=8758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1606404267-WNldVJCr" record=1
type=CONTAINER_ID msg=audit(1606404280.226:174542): record=1 contid=527940429489930240

Please see the github audit kernel issue for the main feature:
  linux-audit/audit-kernel#90
Please see the github audit userspace issue for supporting additions:
  linux-audit/audit-userspace#51
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Dec 22, 2020
Implement audit container identifier filtering using the AUDIT_CONTID
field name to send an 8-character string representing a u64 since the
value field is only u32.

Sending it as two u32 was considered, but gathering and comparing two
fields was more complex.

The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID.

Please see the github audit kernel issue for the contid filter feature:
  linux-audit/audit-kernel#91
Please see the github audit userspace issue for filter additions:
  linux-audit/audit-userspace#40
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Dec 22, 2020
This also adds support to qualify NETFILTER_PKT records.

Audit events could happen in a network namespace outside of a task
context due to packets received from the net that trigger an auditing
rule prior to being associated with a running task.  The network
namespace could be in use by multiple containers by association to the
tasks in that network namespace.  We still want a way to attribute
these events to any potential containers.  Keep a list per network
namespace to track these audit container identifiiers.

Add/increment the audit container identifier on:
- initial setting of the audit container identifier via /proc
- clone/fork call that inherits an audit container identifier
- unshare call that inherits an audit container identifier
- setns call that inherits an audit container identifier
Delete/decrement the audit container identifier on:
- an inherited audit container identifier dropped when child set
- process exit
- unshare call that drops a net namespace
- setns call that drops a net namespace

Add audit container identifier auxiliary record(s) to NETFILTER_PKT
event standalone records.  Iterate through all potential audit container
identifiers associated with a network namespace.

Sample event:
type=NETFILTER_PKT msg=audit(2020-11-26 10:24:47.984:174549) : mark=0x15766399 saddr=127.0.0.1 daddr=127.0.0.1 proto=icmp record=1
type=CONTAINER_ID msg=audit(2020-11-26 10:24:47.984:174549) : record=1 contid=4112973747854606336,1916436506412318720

Please see the github audit kernel issue for contid net support:
  linux-audit/audit-kernel#92
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
rgbriggs added a commit to rgbriggs/audit-testsuite that referenced this issue Dec 24, 2020
See: linux-audit#64

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Jan 12, 2021
Implement the proc fs write to set the audit container identifier of a
process, emitting an AUDIT_CONTAINER_OP record to document the event.

This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/audit_containerid where PID is the process ID of the
newly created task that is to become the first task in a container, or
an additional task added to a container.

The write expects up to a u64 value (unset: 18446744073709551615).

The writer must have capability CAP_AUDIT_CONTROL.

This will produce an event such as this with the new CONTAINER_OP record:
  time->Thu Nov 26 10:24:27 2020
  type=PROCTITLE msg=audit(1606404267.551:174524): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374
  type=SYSCALL msg=audit(1606404267.551:174524): arch=c000003e syscall=1 success=yes exit=20 a0=6 a1=557446aa9180 a2=14 a3=100 items=0 ppid=6827 pid=8724 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
  type=CONTAINER_OP msg=audit(1606404267.551:174524): op=set opid=8730 contid=4515122123205246976 old-contid=-1

The "op" field indicates an initial set.  The "opid" field is the
object's PID, the process being "contained".  New and old audit
container identifier values are given in the "contid" fields.

It is not permitted to unset the audit container identifier.
A child inherits its parent's audit container identifier.

Store the audit container identifier in a refcounted kernel object that
is added to the master list of audit container identifiers.  This will
allow multiple container orchestrators/engines to work on the same
machine without danger of inadvertantly re-using an existing identifier.
It will also allow an orchestrator to inject a process into an existing
container by checking if the original container owner is the one
injecting the task.  A hash table list is used to optimize searches.

Since the life of each audit container indentifier is being tracked, we match
the creation event with the destruction event.  Log the drop of the audit
container identifier when the last process in that container exits.

Add support for reading the audit container identifier from the proc
filesystem.  This is a read from the proc entry of the form
/proc/PID/audit_containerid where PID is the process ID of the task
whose audit container identifier is sought.  The read expects up to a u64 value
(unset: (u64)-1).  This read requires CAP_AUDIT_CONTROL.

Add an entry to Documentation/ABI for /proc/$pid/audit_containerid.

Please see the github audit kernel issue for the main feature:
  linux-audit/audit-kernel#90
Please see the github audit userspace issue for supporting additions:
  linux-audit/audit-userspace#51
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Jan 12, 2021
Create a new audit record AUDIT_CONTAINER_ID to document the audit
container identifier of a process if it is present.

Called from audit_log_exit(), syscalls are covered.

Include target_cid references from ptrace and signal.

A sample raw event:
  time->Thu Nov 26 10:24:40 2020
  type=PROCTITLE msg=audit(1606404280.226:174542): proctitle=2F7573722F62696E2F7065726C002D7700636F6E7461696E657269642F74657374
  type=PATH msg=audit(1606404280.226:174542): item=1 name="/tmp/audit-testsuite-dir-8riQ/testsuite-1606404267-WNldVJCr" inode=428 dev=00:1f mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
  type=PATH msg=audit(1606404280.226:174542): item=0 name="/tmp/audit-testsuite-dir-8riQ/" inode=427 dev=00:1f mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
  type=CWD msg=audit(1606404280.226:174542): cwd="/root/rgb/git/audit-testsuite/tests"
  type=SYSCALL msg=audit(1606404280.226:174542): arch=c000003e syscall=257 success=yes exit=6 a0=ffffff9c a1=557446bd5f10 a2=80241 a3=1b6 items=2 ppid=8724 pid=8758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="perl" exe="/usr/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="testsuite-1606404267-WNldVJCr" record=1
  type=CONTAINER_ID msg=audit(1606404280.226:174542): record=1 contid=527940429489930240

Please see the github audit kernel issue for the main feature:
  linux-audit/audit-kernel#90
Please see the github audit userspace issue for supporting additions:
  linux-audit/audit-userspace#51
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Jan 12, 2021
Implement audit container identifier filtering using the AUDIT_CONTID
field name to send an 8-character string representing a u64 since the
value field is only u32.

Sending it as two u32 was considered, but gathering and comparing two
fields was more complex.

The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID.

Please see the github audit kernel issue for the contid filter feature:
  linux-audit/audit-kernel#91
Please see the github audit userspace issue for filter additions:
  linux-audit/audit-userspace#40
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
fengguang pushed a commit to 0day-ci/linux that referenced this issue Jan 12, 2021
This also adds support to qualify NETFILTER_PKT records.

Audit events could happen in a network namespace outside of a task
context due to packets received from the net that trigger an auditing
rule prior to being associated with a running task.  The network
namespace could be in use by multiple containers by association to the
tasks in that network namespace.  We still want a way to attribute
these events to any potential containers.  Keep a list per network
namespace to track these audit container identifiiers.

Add/increment the audit container identifier on:
- initial setting of the audit container identifier via /proc
- clone/fork call that inherits an audit container identifier
- unshare call that inherits an audit container identifier
- setns call that inherits an audit container identifier
Delete/decrement the audit container identifier on:
- an inherited audit container identifier dropped when child set
- process exit
- unshare call that drops a net namespace
- setns call that drops a net namespace

Add audit container identifier auxiliary record(s) to NETFILTER_PKT
event standalone records.  Iterate through all potential audit container
identifiers associated with a network namespace.  Add the "record=" field to the

A sample event:
  time->Thu Nov 26 10:24:47 2020
  type=NETFILTER_PKT msg=audit(1606404287.984:174549): mark=0x15766399 saddr=127.0.0.1 daddr=127.0.0.1 proto=1 record=1
  type=CONTAINER_ID msg=audit(1606404287.984:174549): record=1 contid=4112973747854606336,1916436506412318720

Please see the github audit kernel issue for contid net support:
  linux-audit/audit-kernel#92
Please see the github audit testsuiite issue for the test case:
  linux-audit/audit-testsuite#64
Please see the github audit wiki for the feature overview:
  https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants