Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated
by Andy Lutomirski
On Wed, Mar 7, 2018 at 11:41 PM, Paul Moore <paul(a)paul-moore.com> wrote:
> On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina <jikos(a)kernel.org> wrote:
>> On Wed, 7 Mar 2018, Andy Lutomirski wrote:
>>> Wow, this was a long time ago.
>>
>> Oh yeah; but it now resurfaced on our side, as we are of course receiving
>> a lot of requests with respect to making syscall performance great again
>> :)
>
> Ooof. I'm not sure I can handle making more things "great again" ;)
>
>>> From memory and a bit of email diving, there are two reasons.
>>>
>>> 1. The probably was partially solved (by Oleg, IIRC) by making auditctl
>>> -a task,never cause newly spawned tasks to not suck. Yes, it's a
>>> very partial solution. After considerable nagging, I got Fedora to
>>> default to -a task,never.
>>
>> Hm, right; that's a bit inconvenient, because it takes each and every
>> vendor having to realize this option, and put it in. Making kernel do the
>> right thing automatically sounds like a better option to me.
>
> This predates audit falling into my lap, but speaking generally I
> think it would be good if the kernel did The Right Thing, so long as
> it isn't too painful.
>
>>> 2. This patch, as is, may be a bit problematic. In particular, if one
>>> task changes the audit rules while another task is in the middle of
>>> the syscall, then it's too late to audit that syscall correctly.
>>> This could be seen as a bug or it could be seen as being just fine.
>>
>> I don't think this should be a problem, given the fact that the whole
>> timing/ordering is not predictable anyway due to scheduling.
>>
>> Paul, what do you think?
>
> I'm not overly concerned about the race condition between configuring
> the audit filters and syscalls that are currently in-flight; after all
> we have that now and "fixing" it would be pretty much impractical
> (impossible maybe?). Most serious audit users configure it during
> boot and let it run, frequent runtime changes are not common as far as
> I can tell.
>
> I just looked quickly at the patch and decided it isn't something I'm
> going to be able to carefully review in the time I've got left today,
> so it's going to have to wait until tomorrow and Friday ... however,
> speaking on general principle I don't have an objection to the ideas
> put forth here.
>
> Andy, if you've got any Reviewed-by/Tested-by/NACK/etc. you want to
> add, that would be good to have.
>
It's sort of my patch, and I was reasonably happy with it, so
definitely no NACK from me. The only caveat I have is that I wrote
the original version so long ago that we need to re-audit the code.
In particular, I want to make sure that the following two cases don't
result in warnings, oopses, or other misbehavior:
1. Do a syscall with TIF_AUDIT_SYSCALL clear. Return with
TIF_AUDIT_SYSCALL set and that syscall enabled for auditing.
2.. Do a VFS syscall with TIF_AUDIT_CLEAR and have TIF_AUDIT_SYSCALL
set before we execute any VFS code. The VFS code will call into the
audit code to log the paths it touches (IIRC). Again, this shouldn't
warn or otherwise misbehave.
6 years, 7 months
audit watch rules and docker containers
by Rakesh
Hello Auditd'ers,
I am running a privileged container with pid, net, uts space shared with the host. The need is to be able to set file watch rules from the container say
-k /etc -p rw -k containter_rule
and then look for read/write access to files/directories in /var/log/audit/*.
What I am finding is there are no watch events being logged
If I set the same audit watch rule from the host (and not being in the privileged container) I am able to get audit events
Using nsenter to switch namespace (nsenter -t 1 auditctl -k /etc -p rw -k containter_rule) does not help either
I suspect the mnt namespace is different which is causing this oddity in behavior
looking at container process namespace -
test@ubuntu-16:~/audit$ sudo ls -latr /proc/26050/ns[sudo] password for test:total 0dr-xr-xr-x 9 root root 0 Mar 2 16:58 ..dr-x--x--x 2 root root 0 Mar 2 17:46 .lrwxrwxrwx 1 root root 0 Mar 2 17:46 uts -> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar 2 17:46 user -> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar 2 17:46 pid -> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2 17:46 net -> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 17:46 mnt -> mnt:[4026532517]lrwxrwxrwx 1 root root 0 Mar 2 17:46 ipc -> ipc:[4026532518]lrwxrwxrwx 1 root root 0 Mar 2 17:46 cgroup -> cgroup:[4026531835]
looking at init process namespace -
test@ubuntu-16:~/audit$ sudo ls -latr /proc/1/nstotal 0dr-xr-xr-x 9 root root 0 Mar 2 10:37 ..lrwxrwxrwx 1 root root 0 Mar 2 10:38 mnt -> mnt:[4026531840]dr-x--x--x 2 root root 0 Mar 2 10:38 .lrwxrwxrwx 1 root root 0 Mar 2 16:47 uts -> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar 2 16:47 user -> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar 2 16:47 pid -> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2 16:47 net -> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 16:47 ipc -> ipc:[4026531839]lrwxrwxrwx 1 root root 0 Mar 2 16:47 cgroup -> cgroup:[4026531835]
Can someone suggest on how to make this work.
Thanks,Rakesh
6 years, 7 months
[PATCH] audit: do not panic kernel on invalid audit parameter
by Greg Edwards
If you pass in an invalid audit kernel boot parameter, e.g. 'audit=off',
the kernel panics very early in boot with no output on the console
indicating the problem.
This seems overly harsh. Instead, print the error indicating an invalid
audit parameter value and leave auditing disabled.
Fixes: 80ab4df62706 ("audit: don't use simple_strtol() anymore")
Signed-off-by: Greg Edwards <gedwards(a)ddn.com>
---
kernel/audit.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 227db99b0f19..d8af7682d6a3 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1572,8 +1572,10 @@ static int __init audit_enable(char *str)
{
long val;
- if (kstrtol(str, 0, &val))
- panic("audit: invalid 'audit' parameter value (%s)\n", str);
+ if (kstrtol(str, 0, &val)) {
+ pr_err("invalid 'audit' parameter value (%s)\n", str);
+ val = AUDIT_OFF;
+ }
audit_default = (val ? AUDIT_ON : AUDIT_OFF);
if (audit_default == AUDIT_OFF)
--
2.14.3
6 years, 7 months
[RFC PATCH] auditctl: add support for containerid filter
by Richard Guy Briggs
A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.
Add support to libaudit and auditctl for the containerid field to filter
based on container identifier. Since it is a u64 and larger than any
other numeric field, send it as a string but do the appropriate
conversions on each end in each direction.
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-kernel/issues/32
See: https://github.com/linux-audit/audit-testsuite/issues/64
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Note: This is a userspace patch for the audit utils to support the
kernel RFC patchset, in optimism of kernel support acceptance.
ausearch would also need support added.
---
docs/auditctl.8 | 3 +++
lib/fieldtab.h | 1 +
lib/libaudit.c | 36 ++++++++++++++++++++++++++++++++++++
lib/libaudit.h | 7 +++++++
src/auditctl-listing.c | 21 +++++++++++++++++++++
5 files changed, 68 insertions(+)
diff --git a/docs/auditctl.8 b/docs/auditctl.8
index 88466de..8bda43d 100644
--- a/docs/auditctl.8
+++ b/docs/auditctl.8
@@ -210,6 +210,9 @@ Parent's Process ID
.B sessionid
User's login session ID
.TP
+.B containerid
+Process' container ID
+.TP
.B subj_user
Program's SE Linux User
.TP
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index c425d5b..755800a 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE, "obj_type" )
_S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" )
_S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" )
_S(AUDIT_SESSIONID, "sessionid" )
+_S(AUDIT_CONTAINERID, "containerid" )
_S(AUDIT_DEVMAJOR, "devmajor" )
_S(AUDIT_DEVMINOR, "devminor" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index aa8258c..2e01a22 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1737,6 +1737,42 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
else if (strcmp(v, "unset") == 0)
rule->values[rule->field_count] = 4294967295;
break;
+ case AUDIT_CONTAINERID: {
+ unsigned long long val;
+
+ if ((audit_get_features() &
+ AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER) == 0)
+ return -EAU_FIELDNOSUPPORT;
+ if (flags != AUDIT_FILTER_EXCLUDE &&
+ flags != AUDIT_FILTER_USER &&
+ flags != AUDIT_FILTER_EXIT)
+ return -EAU_FIELDNOFILTER;
+ if (isdigit((char)*(v)))
+ val = strtoull(v, NULL, 0);
+ else if (strlen(v) >= 2 && *(v)=='-' &&
+ (isdigit((char)*(v+1))))
+ val = strtoll(v, NULL, 0);
+ else if (strcmp(v, "unset") == 0)
+ val = ULLONG_MAX;
+ else
+ return -EAU_FIELDVALNUM;
+ if (errno)
+ return -EAU_FIELDVALNUM;
+ vlen = sizeof(unsigned long long);
+ rule->values[rule->field_count] = vlen;
+ offset = rule->buflen;
+ rule->buflen += vlen;
+ *rulep = realloc(rule, sizeof(*rule) + rule->buflen);
+ if (*rulep == NULL) {
+ free(rule);
+ audit_msg(LOG_ERR, "Cannot realloc memory!\n");
+ return -3;
+ } else {
+ rule = *rulep;
+ }
+ *(unsigned long long*)(&rule->buf[offset]) = val;
+ break;
+ }
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
diff --git a/lib/libaudit.h b/lib/libaudit.h
index b681e8d..542ec62 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -320,6 +320,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_FILTER_FS
#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
#endif
+#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER
+#define AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER 0x00000080
+#endif
/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
@@ -343,6 +346,10 @@ extern "C" {
#define AUDIT_FSTYPE 26
#endif
+#ifndef AUDIT_CONTAINERID
+#define AUDIT_CONTAINERID 27
+#endif
+
#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#endif
diff --git a/src/auditctl-listing.c b/src/auditctl-listing.c
index f670ff9..974dcb4 100644
--- a/src/auditctl-listing.c
+++ b/src/auditctl-listing.c
@@ -25,6 +25,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "auditctl-listing.h"
#include "private.h"
#include "auditctl-llist.h"
@@ -460,6 +461,26 @@ static void print_rule(const struct audit_rule_data *r)
audit_operator_to_symbol(op),
audit_fstype_to_name(
r->values[i]));
+ } else if (field == AUDIT_CONTAINERID) {
+ unsigned long long val;
+
+ if (r->values[i] == sizeof(unsigned long long)) {
+ val = *(unsigned long long*)(&r->buf[boffset]);
+
+ if (val != ULLONG_MAX)
+ printf(" -F %s%s%llu", name,
+ audit_operator_to_symbol(op),
+ val);
+ else
+ printf(" -F %s%s%s", name,
+ audit_operator_to_symbol(op),
+ "unset");
+ } else {
+ printf(" -F %s%s%s", name,
+ audit_operator_to_symbol(op),
+ "inval");
+ }
+ boffset += r->values[i];
} else {
// The default is signed decimal
printf(" -F %s%s%d", name,
--
1.8.3.1
6 years, 8 months
[PATCH 0/2] audit boot parameter cleanups
by Greg Edwards
One of our CI tests was booting upstream kernels with the "audit=off" kernel
parameter. This was our error; it should have been "audit=0". However,
in 4.15 the verification of the boot parameter got more strict in 80ab4df62706
("audit: don't use simple_strtol() anymore"), and our errant boot parameter
value starting panic'ing the system.
The problem is this happens so early in boot, the console isn't initialized yet
and you don't see the panic message. You have no idea what the problem is
unless you add an "earlyprintk" boot option, e.g.
earlyprintk=serial,ttyS0,115200n8.
Fix this by having the boot parameter setup function just save the boot
parameter value, and process it later from a call in audit_init(). The console
is initialized by this point, and you can see any panic messages without having
to use an earlyprintk option.
Additionally, add "on" and "off" as valid audit boot parameter values.
Greg Edwards (2):
audit: move processing of "audit" boot param to audit_init()
audit: add "on"/"off" as valid boot parameter values
Documentation/admin-guide/kernel-parameters.txt | 14 +++----
kernel/audit.c | 49 ++++++++++++++++---------
2 files changed, 39 insertions(+), 24 deletions(-)
--
2.14.3
6 years, 8 months