| Message ID | e9310d6d9d909f4ac7ef1b688fbb0263711f9a24.1593198710.git.rgb@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | audit: implement container identifier | expand |
On Sat, Jun 27, 2020 at 9:22 AM Richard Guy Briggs <rgb@redhat.com> wrote: > > Since we are tracking the life of each audit container indentifier, we > can match the creation event with the destruction event. Log the > destruction of the audit container identifier when the last process in > that container exits. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > kernel/audit.c | 20 ++++++++++++++++++++ > kernel/audit.h | 2 ++ > kernel/auditsc.c | 2 ++ > 3 files changed, 24 insertions(+) If you end up respinning this patchset it seems like this should be merged in with patch 2/13. This way patch 2/13 would include both the "set" and "drop" records, making that patch a bit more useful on it's own. > diff --git a/kernel/audit.c b/kernel/audit.c > index 6d387793f702..9e0b38ce1ead 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2558,6 +2558,26 @@ int audit_set_contid(struct task_struct *task, u64 contid) > return rc; > } > > +void audit_log_container_drop(void) > +{ > + struct audit_buffer *ab; > + struct audit_contobj *cont; > + > + rcu_read_lock(); > + cont = _audit_contobj_get(current); > + _audit_contobj_put(cont); > + if (!cont || refcount_read(&cont->refcount) > 1) > + goto out; > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONTAINER_OP); You may want to check on sleeping with RCU locks held, or just use GFP_ATOMIC to be safe. > + if (!ab) > + goto out; > + audit_log_format(ab, "op=drop opid=%d contid=%llu old-contid=%llu", > + task_tgid_nr(current), cont->id, cont->id); > + audit_log_end(ab); > +out: > + rcu_read_unlock(); > +} > + > /** > * audit_log_end - end one audit record > * @ab: the audit_buffer > diff --git a/kernel/audit.h b/kernel/audit.h > index 182fc76ea276..d07093903008 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -254,6 +254,8 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, > extern struct tty_struct *audit_get_tty(void); > extern void audit_put_tty(struct tty_struct *tty); > > +extern void audit_log_container_drop(void); > + > /* audit watch/mark/tree functions */ > #ifdef CONFIG_AUDITSYSCALL > extern unsigned int audit_serial(void); > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index f00c1da587ea..f03d3eb0752c 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1575,6 +1575,8 @@ static void audit_log_exit(void) > > audit_log_proctitle(); > > + audit_log_container_drop(); > + > /* Send end of event record to help user space know we are finished */ > ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); > if (ab) -- paul moore www.paul-moore.com
diff --git a/kernel/audit.c b/kernel/audit.c index 6d387793f702..9e0b38ce1ead 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2558,6 +2558,26 @@ int audit_set_contid(struct task_struct *task, u64 contid) return rc; } +void audit_log_container_drop(void) +{ + struct audit_buffer *ab; + struct audit_contobj *cont; + + rcu_read_lock(); + cont = _audit_contobj_get(current); + _audit_contobj_put(cont); + if (!cont || refcount_read(&cont->refcount) > 1) + goto out; + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONTAINER_OP); + if (!ab) + goto out; + audit_log_format(ab, "op=drop opid=%d contid=%llu old-contid=%llu", + task_tgid_nr(current), cont->id, cont->id); + audit_log_end(ab); +out: + rcu_read_unlock(); +} + /** * audit_log_end - end one audit record * @ab: the audit_buffer diff --git a/kernel/audit.h b/kernel/audit.h index 182fc76ea276..d07093903008 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -254,6 +254,8 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab, extern struct tty_struct *audit_get_tty(void); extern void audit_put_tty(struct tty_struct *tty); +extern void audit_log_container_drop(void); + /* audit watch/mark/tree functions */ #ifdef CONFIG_AUDITSYSCALL extern unsigned int audit_serial(void); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index f00c1da587ea..f03d3eb0752c 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1575,6 +1575,8 @@ static void audit_log_exit(void) audit_log_proctitle(); + audit_log_container_drop(); + /* Send end of event record to help user space know we are finished */ ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); if (ab)
Since we are tracking the life of each audit container indentifier, we can match the creation event with the destruction event. Log the destruction of the audit container identifier when the last process in that container exits. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- kernel/audit.c | 20 ++++++++++++++++++++ kernel/audit.h | 2 ++ kernel/auditsc.c | 2 ++ 3 files changed, 24 insertions(+)