Re: [PATCH ghak90 V7 05/21] audit: log drop of contid on exit of last task

Since we are tracking the life of each audit container indentifier, we can match the creation event with the destruction event. Log the destruction of the audit container identifier when the last process in that container exits. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- kernel/audit.c | 32 ++++++++++++++++++++++++++++++++ kernel/audit.h | 2 ++ kernel/auditsc.c | 2 ++ 3 files changed, 36 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index ea0899130cc1..53d13d638c63 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2503,6 +2503,38 @@ int audit_set_contid(struct task_struct *task, u64 contid) return rc; } +void audit_log_container_drop(void) +{ + struct audit_buffer *ab; + uid_t uid; + struct tty_struct *tty; + char comm[sizeof(current->comm)]; + + if (!current->audit || !current->audit->cont || + refcount_read(&current->audit->cont->refcount) > 1) + return; + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_CONTAINER_OP); + if (!ab) + return; + + uid = from_kuid(&init_user_ns, task_uid(current)); + tty = audit_get_tty(); + audit_log_format(ab, + "op=drop opid=%d contid=%llu old-contid=%llu pid=%d uid=%u auid=%u tty=%s ses=%u", + task_tgid_nr(current), audit_get_contid(current), + audit_get_contid(current), task_tgid_nr(current), uid, + from_kuid(&init_user_ns, audit_get_loginuid(current)), + tty ? tty_name(tty) : "(none)", + audit_get_sessionid(current)); + audit_put_tty(tty); + audit_log_task_context(ab); + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, get_task_comm(comm, current)); + audit_log_d_path_exe(ab, current->mm); + audit_log_format(ab, " res=1"); + audit_log_end(ab); +}