I'm doing work now involving namespaces....the necessity is real. I'll
take a look early next week.
On Dec 20, 2013 10:34 PM, "Richard Guy Briggs" <rgb(a)redhat.com> wrote:
Log the namespace details of a task.
---
Does anyone have comments on this patch?
I'm looking for guidance on which types of messages should have namespace
information included. I've included too many, I suspect.
I also wonder if displaying these inode numbers in hexadecimal makes more
sense
than decimal, since they are all based around 0xF0000000. These are all
with
reference to the proc filesystem, so a device number should not be
necessary to
qualify them.
include/linux/audit.h | 1 +
kernel/audit.c | 29 +++++++++++++++++++++++++++++
kernel/audit_watch.c | 1 +
kernel/auditfilter.c | 1 +
kernel/auditsc.c | 5 +++++
5 files changed, 37 insertions(+), 0 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 6976219..75fa602 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -92,6 +92,7 @@ extern int audit_classify_arch(int arch);
struct filename;
extern void audit_log_session_info(struct audit_buffer *ab);
+extern void audit_log_namespace_info(struct audit_buffer *ab, struct
task_struct *tsk);
#ifdef CONFIG_AUDITSYSCALL
/* These are defined in auditsc.c */
diff --git a/kernel/audit.c b/kernel/audit.c
index dc03a30..b4c39a9 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -62,7 +62,15 @@
#endif
#include <linux/freezer.h>
#include <linux/tty.h>
+#include <linux/nsproxy.h>
+#include <linux/utsname.h>
+#include <linux/ipc_namespace.h>
+#include "../fs/mount.h"
+#include <linux/mount.h>
+#include <linux/mnt_namespace.h>
#include <linux/pid_namespace.h>
+#include <net/net_namespace.h>
+#include <linux/user_namespace.h>
#include <net/netns/generic.h>
#include "audit.h"
@@ -292,6 +300,7 @@ static int audit_log_config_change(char
*function_name, int new, int old,
return rc;
audit_log_format(ab, "%s=%d old=%d", function_name, new, old);
audit_log_session_info(ab);
+ audit_log_namespace_info(ab, current);
rc = audit_log_task_context(ab);
if (rc)
allow_changes = 0; /* Something weird, deny request */
@@ -657,6 +666,7 @@ static int audit_log_common_recv_msg(struct
audit_buffer **ab, u16 msg_type)
return rc;
audit_log_format(*ab, "pid=%d uid=%u", task_tgid_vnr(current),
uid);
audit_log_session_info(*ab);
+ audit_log_namespace_info(*ab, current);
audit_log_task_context(*ab);
return rc;
@@ -689,6 +699,7 @@ static void audit_log_feature_change(int which, u32
old_feature, u32 new_feature
return;
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, "feature=%s old=%d new=%d old_lock=%d
new_lock=%d res=%d",
audit_feature_names[which], !!old_feature,
!!new_feature,
!!old_lock, !!new_lock, res);
@@ -1621,6 +1632,23 @@ void audit_log_session_info(struct audit_buffer *ab)
audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
}
+void audit_log_namespace_info(struct audit_buffer *ab, struct task_struct
*tsk)
+{
+ struct nsproxy *nsproxy;
+
+ rcu_read_lock();
+ audit_log_format(ab, " pidns=%x",
task_active_pid_ns(tsk)->proc_inum);
+ nsproxy = task_nsproxy(tsk);
+ if (nsproxy != NULL) {
+ audit_log_format(ab, " usrns=%x",
nsproxy->net_ns->user_ns->proc_inum);
+ audit_log_format(ab, " utsns=%x",
nsproxy->uts_ns->proc_inum);
+ audit_log_format(ab, " ipcns=%x",
nsproxy->ipc_ns->proc_inum);
+ audit_log_format(ab, " mntns=%x",
nsproxy->mnt_ns->proc_inum);
+ audit_log_format(ab, " netns=%x",
nsproxy->net_ns->proc_inum);
+ }
+ rcu_read_unlock();
+}
+
void audit_log_key(struct audit_buffer *ab, char *key)
{
audit_log_format(ab, " key=");
@@ -1890,6 +1918,7 @@ void audit_log_link_denied(const char *operation,
struct path *link)
goto out;
audit_log_format(ab, "op=%s", operation);
audit_log_task_info(ab, current);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " res=0");
audit_log_end(ab);
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 22831c4..2382a3e 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -245,6 +245,7 @@ static void audit_watch_log_rule_change(struct
audit_krule *r, struct audit_watc
audit_log_format(ab, "auid=%u ses=%u op=",
from_kuid(&init_user_ns,
audit_get_loginuid(current)),
audit_get_sessionid(current));
+ audit_log_namespace_info(ab, current);
audit_log_string(ab, op);
audit_log_format(ab, " path=");
audit_log_untrustedstring(ab, w->path);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 14a78cc..9c4b004 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1014,6 +1014,7 @@ static void audit_log_rule_change(char *action,
struct audit_krule *rule, int re
if (!ab)
return;
audit_log_format(ab, "auid=%u ses=%u" ,loginuid, sessionid);
+ audit_log_namespace_info(ab, current);
audit_log_task_context(ab);
audit_log_format(ab, " op=");
audit_log_string(ab, action);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 10176cd..3c73a3b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -974,6 +974,7 @@ static int audit_log_pid_context(struct audit_context
*context, pid_t pid,
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
+ audit_log_namespace_info(ab, current);
if (sid) {
if (security_secid_to_secctx(sid, &ctx, &len)) {
audit_log_format(ab, " obj=(none)");
@@ -1302,6 +1303,7 @@ static void audit_log_exit(struct audit_context
*context, struct task_struct *ts
context->name_count);
audit_log_task_info(ab, tsk);
+ audit_log_namespace_info(ab, current);
audit_log_key(ab, context->filterkey);
audit_log_end(ab);
@@ -1987,6 +1989,7 @@ static void audit_log_set_loginuid(kuid_t
koldloginuid, kuid_t kloginuid,
current->pid, uid,
oldloginuid, loginuid, oldsessionid, sessionid,
!rc);
+ audit_log_namespace_info(ab, current);
audit_log_end(ab);
}
@@ -2400,6 +2403,7 @@ void audit_core_dumps(long signr)
if (unlikely(!ab))
return;
audit_log_task(ab);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_end(ab);
}
@@ -2412,6 +2416,7 @@ void __audit_seccomp(unsigned long syscall, long
signr, int code)
if (unlikely(!ab))
return;
audit_log_task(ab);
+ audit_log_namespace_info(ab, current);
audit_log_format(ab, " sig=%ld", signr);
audit_log_format(ab, " syscall=%ld", syscall);
audit_log_format(ab, " compat=%d", is_compat_task());
--
1.7.1
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit