[PATCH RFC 35/48] Audit: Log task related audit message to proper user namespace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Now, we can log task related audit message to the user namespace
which the task belongs to.

Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
---
 kernel/auditsc.c | 114 +++++++++++++++++++++++++++++++------------------------
 1 file changed, 64 insertions(+), 50 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 544eb82..3c5ced9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1185,7 +1185,8 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
 
 EXPORT_SYMBOL(audit_log_task_info);
 
-static int audit_log_pid_context(struct audit_context *context, pid_t pid,
+static int audit_log_pid_context(struct user_namespace *ns,
+				 struct audit_context *context, pid_t pid,
 				 kuid_t auid, kuid_t uid, unsigned int sessionid,
 				 u32 sid, char *comm)
 {
@@ -1194,13 +1195,13 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 	u32 len;
 	int rc = 0;
 
-	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
+	ab = audit_log_start_ns(ns, context, GFP_KERNEL, AUDIT_OBJ_PID);
 	if (!ab)
 		return rc;
 
 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
-			 from_kuid(&init_user_ns, auid),
-			 from_kuid(&init_user_ns, uid), sessionid);
+			 from_kuid(ns, auid),
+			 from_kuid(ns, uid), sessionid);
 	if (security_secid_to_secctx(sid, &ctx, &len)) {
 		audit_log_format(ab, " obj=(none)");
 		rc = 1;
@@ -1210,7 +1211,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 	}
 	audit_log_format(ab, " ocomm=");
 	audit_log_untrustedstring(ab, comm);
-	audit_log_end(ab);
+	audit_log_end_ns(ns, ab);
 
 	return rc;
 }
@@ -1240,6 +1241,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
 	size_t len, len_left, to_send;
 	size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
 	unsigned int i, has_cntl = 0, too_long = 0;
+	struct user_namespace *ns;
 	int ret;
 
 	/* strnlen_user includes the null we don't want to send */
@@ -1293,6 +1295,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
 	if (len > max_execve_audit_len)
 		too_long = 1;
 
+	ns = current_user_ns();
 	/* rewalk the argument actually logging the message */
 	for (i = 0; len_left > 0; i++) {
 		int room_left;
@@ -1310,8 +1313,9 @@ static int audit_log_single_execve_arg(struct audit_context *context,
 			room_left -= to_send;
 		if (room_left < 0) {
 			*len_sent = 0;
-			audit_log_end(*ab);
-			*ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
+			audit_log_end_ns(ns, *ab);
+			*ab = audit_log_start_ns(ns, context,
+						 GFP_KERNEL, AUDIT_EXECVE);
 			if (!*ab)
 				return 0;
 		}
@@ -1429,12 +1433,13 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
 		audit_log_format(ab, " cap_fe=%d cap_fver=%x", name->fcap.fE, name->fcap_ver);
 }
 
-static void show_special(struct audit_context *context, int *call_panic)
+static void show_special(struct user_namespace *ns,
+			 struct audit_context *context, int *call_panic)
 {
 	struct audit_buffer *ab;
 	int i;
 
-	ab = audit_log_start(context, GFP_KERNEL, context->type);
+	ab = audit_log_start_ns(ns, context, GFP_KERNEL, context->type);
 	if (!ab)
 		return;
 
@@ -1465,9 +1470,9 @@ static void show_special(struct audit_context *context, int *call_panic)
 			}
 		}
 		if (context->ipc.has_perm) {
-			audit_log_end(ab);
-			ab = audit_log_start(context, GFP_KERNEL,
-					     AUDIT_IPC_SET_PERM);
+			audit_log_end_ns(ns, ab);
+			ab = audit_log_start_ns(ns, context, GFP_KERNEL,
+						AUDIT_IPC_SET_PERM);
 			if (unlikely(!ab))
 				return;
 			audit_log_format(ab,
@@ -1523,14 +1528,15 @@ static void show_special(struct audit_context *context, int *call_panic)
 				 context->mmap.flags);
 		break; }
 	}
-	audit_log_end(ab);
+	audit_log_end_ns(ns, ab);
 }
 
-static void audit_log_name(struct audit_context *context, struct audit_names *n,
+static void audit_log_name(struct user_namespace *ns,
+			   struct audit_context *context, struct audit_names *n,
 			   int record_num, int *call_panic)
 {
 	struct audit_buffer *ab;
-	ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
+	ab = audit_log_start_ns(ns, context, GFP_KERNEL, AUDIT_PATH);
 	if (!ab)
 		return; /* audit_panic has been called */
 
@@ -1565,8 +1571,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 				 MAJOR(n->dev),
 				 MINOR(n->dev),
 				 n->mode,
-				 from_kuid(&init_user_ns, n->uid),
-				 from_kgid(&init_user_ns, n->gid),
+				 from_kuid(ns, n->uid),
+				 from_kgid(ns, n->gid),
 				 MAJOR(n->rdev),
 				 MINOR(n->rdev));
 	}
@@ -1585,7 +1591,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 
 	audit_log_fcaps(ab, n);
 
-	audit_log_end(ab);
+	audit_log_end_ns(ns, ab);
 }
 
 static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
@@ -1594,11 +1600,12 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 	struct audit_buffer *ab;
 	struct audit_aux_data *aux;
 	struct audit_names *n;
+	struct user_namespace *ns = task_cred_xxx(tsk, user_ns);
 
 	/* tsk == current */
 	context->personality = tsk->personality;
 
-	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
+	ab = audit_log_start_ns(ns, context, GFP_KERNEL, AUDIT_SYSCALL);
 	if (!ab)
 		return;		/* audit_panic has been called */
 	audit_log_format(ab, "arch=%x syscall=%d",
@@ -1620,11 +1627,11 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 
 	audit_log_task_info(ab, tsk);
 	audit_log_key(ab, context->filterkey);
-	audit_log_end(ab);
+	audit_log_end_ns(ns, ab);
 
 	for (aux = context->aux; aux; aux = aux->next) {
 
-		ab = audit_log_start(context, GFP_KERNEL, aux->type);
+		ab = audit_log_start_ns(ns, context, GFP_KERNEL, aux->type);
 		if (!ab)
 			continue; /* audit_panic has been called */
 
@@ -1650,28 +1657,28 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 			break; }
 
 		}
-		audit_log_end(ab);
+		audit_log_end_ns(ns, ab);
 	}
 
 	if (context->type)
-		show_special(context, &call_panic);
+		show_special(ns, context, &call_panic);
 
 	if (context->fds[0] >= 0) {
-		ab = audit_log_start(context, GFP_KERNEL, AUDIT_FD_PAIR);
+		ab = audit_log_start_ns(ns, context, GFP_KERNEL, AUDIT_FD_PAIR);
 		if (ab) {
 			audit_log_format(ab, "fd0=%d fd1=%d",
 					context->fds[0], context->fds[1]);
-			audit_log_end(ab);
+			audit_log_end_ns(ns, ab);
 		}
 	}
 
 	if (context->sockaddr_len) {
-		ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
+		ab = audit_log_start_ns(ns, context, GFP_KERNEL, AUDIT_SOCKADDR);
 		if (ab) {
 			audit_log_format(ab, "saddr=");
 			audit_log_n_hex(ab, (void *)context->sockaddr,
 					context->sockaddr_len);
-			audit_log_end(ab);
+			audit_log_end_ns(ns, ab);
 		}
 	}
 
@@ -1679,7 +1686,8 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 		struct audit_aux_data_pids *axs = (void *)aux;
 
 		for (i = 0; i < axs->pid_count; i++)
-			if (audit_log_pid_context(context, axs->target_pid[i],
+			if (audit_log_pid_context(ns, context,
+						  axs->target_pid[i],
 						  axs->target_auid[i],
 						  axs->target_uid[i],
 						  axs->target_sessionid[i],
@@ -1689,28 +1697,28 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 	}
 
 	if (context->target_pid &&
-	    audit_log_pid_context(context, context->target_pid,
+	    audit_log_pid_context(ns, context, context->target_pid,
 				  context->target_auid, context->target_uid,
 				  context->target_sessionid,
 				  context->target_sid, context->target_comm))
 			call_panic = 1;
 
 	if (context->pwd.dentry && context->pwd.mnt) {
-		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
+		ab = audit_log_start_ns(ns, context, GFP_KERNEL, AUDIT_CWD);
 		if (ab) {
 			audit_log_d_path(ab, " cwd=", &context->pwd);
-			audit_log_end(ab);
+			audit_log_end_ns(ns, ab);
 		}
 	}
 
 	i = 0;
 	list_for_each_entry(n, &context->names_list, list)
-		audit_log_name(context, n, i++, &call_panic);
+		audit_log_name(ns, context, n, i++, &call_panic);
 
 	/* Send end of event record to help user space know we are finished */
-	ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
+	ab = audit_log_start_ns(ns, context, GFP_KERNEL, AUDIT_EOE);
 	if (ab)
-		audit_log_end(ab);
+		audit_log_end_ns(ns, ab);
 	if (call_panic)
 		audit_panic("error converting sid to string");
 }
@@ -2327,8 +2335,9 @@ int audit_set_loginuid(kuid_t loginuid)
 	sessionid = atomic_inc_return(&session_id);
 	if (context && context->in_syscall) {
 		struct audit_buffer *ab;
+		struct user_namespace *ns = current_user_ns();
 
-		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN);
+		ab = audit_log_start_ns(ns, NULL, GFP_KERNEL, AUDIT_LOGIN);
 		if (ab) {
 			audit_log_format(ab, "login pid=%d uid=%u "
 				"old auid=%u new auid=%u"
@@ -2338,7 +2347,7 @@ int audit_set_loginuid(kuid_t loginuid)
 				from_kuid(&init_user_ns, task->loginuid),
 				from_kuid(&init_user_ns, loginuid),
 				task->sessionid, sessionid);
-			audit_log_end(ab);
+			audit_log_end_ns(ns, ab);
 		}
 	}
 	task->sessionid = sessionid;
@@ -2560,8 +2569,9 @@ int __audit_signal_info(int sig, struct task_struct *t)
 	struct task_struct *tsk = current;
 	struct audit_context *ctx = tsk->audit_context;
 	kuid_t uid = current_uid(), t_uid = task_uid(t);
+	int audit_pid = current_user_ns()->audit.pid;
 
-	if (init_user_ns.audit.pid && t->tgid == init_user_ns.audit.pid) {
+	if (audit_pid && t->tgid == audit_pid) {
 		if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
 			audit_sig_pid = tsk->pid;
 			if (uid_valid(tsk->loginuid))
@@ -2683,7 +2693,8 @@ void __audit_mmap_fd(int fd, int flags)
 	context->type = AUDIT_MMAP;
 }
 
-static void audit_log_task(struct audit_buffer *ab)
+static void audit_log_task(struct user_namespace *ns,
+			   struct audit_buffer *ab)
 {
 	kuid_t auid, uid;
 	kgid_t gid;
@@ -2694,18 +2705,19 @@ static void audit_log_task(struct audit_buffer *ab)
 	current_uid_gid(&uid, &gid);
 
 	audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
-			 from_kuid(&init_user_ns, auid),
-			 from_kuid(&init_user_ns, uid),
-			 from_kgid(&init_user_ns, gid),
+			 from_kuid(ns, auid),
+			 from_kuid(ns, uid),
+			 from_kgid(ns, gid),
 			 sessionid);
 	audit_log_task_context(ab);
 	audit_log_format(ab, " pid=%d comm=", current->pid);
 	audit_log_untrustedstring(ab, current->comm);
 }
 
-static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
+static void audit_log_abend(struct user_namespace *ns,
+			    struct audit_buffer *ab, char *reason, long signr)
 {
-	audit_log_task(ab);
+	audit_log_task(ns, ab);
 	audit_log_format(ab, " reason=");
 	audit_log_string(ab, reason);
 	audit_log_format(ab, " sig=%ld", signr);
@@ -2720,34 +2732,36 @@ static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
 void audit_core_dumps(long signr)
 {
 	struct audit_buffer *ab;
+	struct user_namespace *ns = current_user_ns();
 
-	if (!audit_enabled)
+	if (!audit_enabled_ns(ns))
 		return;
 
 	if (signr == SIGQUIT)	/* don't care for those */
 		return;
 
-	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+	ab = audit_log_start_ns(ns, NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
 	if (unlikely(!ab))
 		return;
-	audit_log_abend(ab, "memory violation", signr);
-	audit_log_end(ab);
+	audit_log_abend(ns, ab, "memory violation", signr);
+	audit_log_end_ns(ns, ab);
 }
 
 void __audit_seccomp(unsigned long syscall, long signr, int code)
 {
 	struct audit_buffer *ab;
+	struct user_namespace *ns = current_user_ns();
 
-	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
+	ab = audit_log_start_ns(ns, NULL, GFP_KERNEL, AUDIT_SECCOMP);
 	if (unlikely(!ab))
 		return;
-	audit_log_task(ab);
+	audit_log_task(ns, ab);
 	audit_log_format(ab, " sig=%ld", signr);
 	audit_log_format(ab, " syscall=%ld", syscall);
 	audit_log_format(ab, " compat=%d", is_compat_task());
 	audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
 	audit_log_format(ab, " code=0x%x", code);
-	audit_log_end(ab);
+	audit_log_end_ns(ns, ab);
 }
 
 struct list_head *audit_killed_trees(void)
-- 
1.8.1.4

_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers




[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux