On 2019-09-18 21:27, Richard Guy Briggs wrote: > Add support for audit kernel container identifiers to userspace tools. > > The first and second add new record types. The third adds filter > support. The fourth and 5th start to add search support. > > The 6th is to read the calling process' audit container identifier from > the /proc filesystem matching the kernel /proc read patch. > > The 7th is to fix signal support and the 8th is to learn the audit > container identifier of the process that signals the audit daemon. > > The 9th is a touch up to allow the contid field to be interpreted as a > CSV list. > > The 10th and 11th add audit netlink support for setting and getting > contid, loginuid and sessionid preparing to deprecate the /proc > interface. > > The last adds audit library support to allow a process to give > permission to a container orchestrator in a non-init user namespace via > audit netlink messages. > > See: https://github.com/linux-audit/audit-userspace/issues/51 > See: https://github.com/linux-audit/audit-userspace/issues/40 > See: https://github.com/linux-audit/audit-kernel/issues/90 > See: https://github.com/linux-audit/audit-kernel/issues/91 > See: https://github.com/linux-audit/audit-testsuite/issues/64 > See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Here's my working tree: https://github.com/linux-audit/audit-userspace/compare/master...rgbriggs:ghau40-containerid-filter.v7.0 And a test rpms: http://people.redhat.com/~rbriggs/ghak90/git-247fe71 > Changelog: > v7 > - rebase on ghau90 and touchup > - rebase on ghak10 support (change AUDIT_CONTAINER_ID to 1334) > - render type contid as a CSV > - switch from /proc to audit netlink to set/get contid, auid/sessionid > - add support for capcontid > > v6 > - auditd signaller tracking was moved to a new AUDIT_SIGNAL_INFO2 > request and record > - swap CONTAINER_OP contid/old-contid to ease parsing > - add to auparse > > v5 > - updated aux record from AUDIT_CONTAINER to AUDIT_CONTAINER_ID > - add AUDIT_CONTAINER_ID to normalization > - rebase on AUDIT_ANOM_LINK and AUDIT_MAC_CALIPSO_ADD > > v4 > - change from AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP > - change from AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER to > AUDIT_FEATURE_BITMAP_CONTAINERID > - change from event_container_id to event_contid internally > - change from container_id to contid and event_container_id to > event_contid internally > - change command line option from --container-id to --contid > > v3 > - change from AUDIT_CONTAINER to AUDIT_CONTAINER_ID > - change from AUDIT_CONTAINER_INFO to AUDIT_CONTAINER > - change from AUDIT_CONTAINERID to AUDIT_CONTID > - update github issue refs > - add audit_get_containerid > - change event_container_id default value > - add --containerid to ausearch options help text > - update ausearch parser and error codes > > v2 > - rebase on UINT_MAX patch > - add patches for AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch, > normalization > > Richard Guy Briggs (12): > AUDIT_CONTAINER_OP message type basic support > AUDIT_CONTAINER_ID message type basic support > auditctl: add support for AUDIT_CONTID filter > add ausearch containerid support > start normalization containerid support > libaudit: add support to get the task audit container identifier > signal_info: only print context if it is available. > add support for audit_signal_info2 > contid: interpret correctly CONTAINER_ID contid field csv > contid: switch from /proc to netlink > loginuid/sessionid: switch from /proc to netlink > libaudit: add support to get and set capcontid on a task > > auparse/auditd-config.c | 1 + > auparse/auparse-defs.h | 3 +- > auparse/interpret.c | 10 + > auparse/normalize_record_map.h | 2 + > auparse/typetab.h | 2 + > bindings/python/auparse_python.c | 1 + > docs/Makefile.am | 3 +- > docs/audit_get_containerid.3 | 25 +++ > docs/audit_request_signal_info.3 | 1 + > docs/audit_set_containerid.3 | 24 +++ > docs/auditctl.8 | 3 + > lib/fieldtab.h | 1 + > lib/libaudit.c | 425 ++++++++++++++++++++++++++++++++------- > lib/libaudit.h | 73 +++++++ > lib/msg_typetab.h | 10 + > lib/netlink.c | 15 ++ > src/auditctl-listing.c | 21 ++ > src/auditd-config.c | 1 + > src/auditd-config.h | 1 + > src/auditd-event.c | 28 ++- > src/auditd-reconfig.c | 25 ++- > src/auditd.c | 3 +- > src/aureport-options.c | 1 + > src/ausearch-llist.c | 2 + > src/ausearch-llist.h | 1 + > src/ausearch-match.c | 3 + > src/ausearch-options.c | 47 ++++- > src/ausearch-options.h | 1 + > src/ausearch-parse.c | 197 ++++++++++++++++++ > src/ausearch-report.c | 6 +- > 30 files changed, 848 insertions(+), 88 deletions(-) > create mode 100644 docs/audit_get_containerid.3 > create mode 100644 docs/audit_set_containerid.3 > > -- > 1.8.3.1 > > -- > Linux-audit mailing list > Linux-audit@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs <rgb@xxxxxxxxxx> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
