Re: [PATCH ghak90 V9 05/13] audit: log container info of syscalls
On 2020-10-21 12:49, Steve Grubb wrote:
On Wednesday, October 21, 2020 12:39:26 PM EDT Richard Guy Briggs
wrote:
> > I think I have a way to generate a signal to multiple targets in one
> > syscall... The added challenge is to also give those targets different
> > audit container identifiers.
>
> Here is an exmple I was able to generate after updating the testsuite
> script to include a signalling example of a nested audit container
> identifier:
>
> ----
> type=PROCTITLE msg=audit(2020-10-21 10:31:16.655:6731) :
> proctitle=/usr/bin/perl -w containerid/test type=CONTAINER_ID
> msg=audit(2020-10-21 10:31:16.655:6731) :
> contid=7129731255799087104^3333941723245477888 type=OBJ_PID
> msg=audit(2020-10-21 10:31:16.655:6731) : opid=115583 oauid=root ouid=root
> oses=1 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> ocomm=perl type=CONTAINER_ID msg=audit(2020-10-21 10:31:16.655:6731) :
> contid=3333941723245477888 type=OBJ_PID msg=audit(2020-10-21
> 10:31:16.655:6731) : opid=115580 oauid=root ouid=root oses=1
> obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm=perl
> type=CONTAINER_ID msg=audit(2020-10-21 10:31:16.655:6731) :
> contid=8098399240850112512^3333941723245477888 type=OBJ_PID
> msg=audit(2020-10-21 10:31:16.655:6731) : opid=115582 oauid=root ouid=root
> oses=1 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> ocomm=perl type=SYSCALL msg=audit(2020-10-21 10:31:16.655:6731) :
> arch=x86_64 syscall=kill success=yes exit=0 a0=0xfffe3c84 a1=SIGTERM
> a2=0x4d524554 a3=0x0 items=0 ppid=115564 pid=115567 auid=root uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=testsuite-1603290671-AcLtUulY ----
>
> There are three CONTAINER_ID records which need some way of associating
> with OBJ_PID records. An additional CONTAINER_ID record would be present
> if the killing process itself had an audit container identifier. I think
> the most obvious way to connect them is with a pid= field in the
> CONTAINER_ID record.
pid is the process sending the signal, opid is the process receiving the
signal. I think you mean opid?
If the process sending the signal (it has a pid= field) has an audit
container identifier, it will generate a CONTAINER_ID record. Each
process being signalled (each has an opid= field) that has an audit
container identifier will also generate a CONTAINER_ID record. The
former will be much more common. Which do we use in the CONTAINER_ID
record? Having swinging fields, pid vs opid does not seem like a
reasonable solution. Do we go back to "ref=pid=..." vs
"ref=opid=..."?
-Steve
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635