On 2020-10-21 12:49, Steve Grubb wrote: > On Wednesday, October 21, 2020 12:39:26 PM EDT Richard Guy Briggs wrote: > > > I think I have a way to generate a signal to multiple targets in one > > > syscall... The added challenge is to also give those targets different > > > audit container identifiers. > > > > Here is an exmple I was able to generate after updating the testsuite > > script to include a signalling example of a nested audit container > > identifier: > > > > ---- > > type=PROCTITLE msg=audit(2020-10-21 10:31:16.655:6731) : > > proctitle=/usr/bin/perl -w containerid/test type=CONTAINER_ID > > msg=audit(2020-10-21 10:31:16.655:6731) : > > contid=7129731255799087104^3333941723245477888 type=OBJ_PID > > msg=audit(2020-10-21 10:31:16.655:6731) : opid=115583 oauid=root ouid=root > > oses=1 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > ocomm=perl type=CONTAINER_ID msg=audit(2020-10-21 10:31:16.655:6731) : > > contid=3333941723245477888 type=OBJ_PID msg=audit(2020-10-21 > > 10:31:16.655:6731) : opid=115580 oauid=root ouid=root oses=1 > > obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ocomm=perl > > type=CONTAINER_ID msg=audit(2020-10-21 10:31:16.655:6731) : > > contid=8098399240850112512^3333941723245477888 type=OBJ_PID > > msg=audit(2020-10-21 10:31:16.655:6731) : opid=115582 oauid=root ouid=root > > oses=1 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > ocomm=perl type=SYSCALL msg=audit(2020-10-21 10:31:16.655:6731) : > > arch=x86_64 syscall=kill success=yes exit=0 a0=0xfffe3c84 a1=SIGTERM > > a2=0x4d524554 a3=0x0 items=0 ppid=115564 pid=115567 auid=root uid=root > > gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root > > tty=ttyS0 ses=1 comm=perl exe=/usr/bin/perl > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > key=testsuite-1603290671-AcLtUulY ---- > > > > There are three CONTAINER_ID records which need some way of associating > > with OBJ_PID records. An additional CONTAINER_ID record would be present > > if the killing process itself had an audit container identifier. I think > > the most obvious way to connect them is with a pid= field in the > > CONTAINER_ID record. > > pid is the process sending the signal, opid is the process receiving the > signal. I think you mean opid? If the process sending the signal (it has a pid= field) has an audit container identifier, it will generate a CONTAINER_ID record. Each process being signalled (each has an opid= field) that has an audit container identifier will also generate a CONTAINER_ID record. The former will be much more common. Which do we use in the CONTAINER_ID record? Having swinging fields, pid vs opid does not seem like a reasonable solution. Do we go back to "ref=pid=..." vs "ref=opid=..."? > -Steve - RGB -- Richard Guy Briggs <rgb@xxxxxxxxxx> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635