Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: support audit container ID records #51

Open
rgbriggs opened this Issue Jun 6, 2018 · 5 comments

Comments

Projects
None yet
1 participant
@rgbriggs
Copy link
Contributor

commented Jun 6, 2018

Add userspace audit tool support for the features introduced by kernel audit container ID support.

  • AUDIT_CONTAINER_OP records
  • AUDIT_CONTAINER_ID records

See: linux-audit/audit-kernel#90
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

@rgbriggs

This comment has been minimized.

Copy link
Contributor Author

commented Jun 6, 2018

@rgbriggs

This comment has been minimized.

Copy link
Contributor Author

commented Jul 31, 2018

fcicq pushed a commit to fcicq/chromiumos-third_party-kernel that referenced this issue Jan 20, 2019

BACKPORT: FROMLIST: audit: add container id
Implement the proc fs write to set the audit container identifier of a
process, emitting an AUDIT_CONTAINER_OP record to document the event.

This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/audit_containerid where PID is the process ID of the
newly created task that is to become the first task in a container, or
an additional task added to a container.

The write expects up to a u64 value (unset: 18446744073709551615).

The writer must have capability CAP_AUDIT_CONTROL.

This will produce a record such as this:
  type=CONTAINER_ID msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root uid=root tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash exe=/usr/bin/bash res=yes

The "op" field indicates an initial set.  The "pid" to "ses" fields are
the orchestrator while the "opid" field is the object's PID, the process
being "contained".  Old and new audit container identifier values are
given in the "contid" fields, while res indicates its success.

It is not permitted to unset the audit container identifier.
A child inherits its parent's audit container identifier.

See: linux-audit/audit-kernel#90
See: linux-audit/audit-userspace#51
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Steve Grubb <sgrubb@redhat.com>
(am from https://patchwork.kernel.org/patch/10551315/)

BUG=chromium:918980
TEST=Build, boot and GCP internal testing.

Changed the return value of the default audit_get_contid as the kuid_t
is a 32-bit value where the other version is a u64 failing compilation
on 32-bit kernels.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Change-Id: Iee61e96d015715f1dde24f92c230f14410cb5a79
Reviewed-on: https://chromium-review.googlesource.com/1379655
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
@rgbriggs

This comment has been minimized.

@rgbriggs

This comment has been minimized.

@rgbriggs

This comment has been minimized.

Copy link
Contributor Author

commented Apr 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.