Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

[RFC PATCH ghak32 V2 00/13] audit: implement container id · Richard Guy Briggs <hidden> · 2018-03-16
[RFC PATCH ghak32 V2 02/13] audit: check children and threading before allowing containerid · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 02/13] audit: check children and threading before allowing containerid · Paul Moore <paul@paul-moore.com> · 2018-04-19
[RFC PATCH ghak32 V2 04/13] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 04/13] audit: add containerid filtering · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 04/13] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2018-04-19
[RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals · Paul Moore <paul@paul-moore.com> · 2018-04-20
[RFC PATCH ghak32 V2 08/13] audit: add containerid support for tty_audit · Richard Guy Briggs <hidden> · 2018-03-16
[RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records · Richard Guy Briggs <hidden> · 2018-04-19
Re: [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records · Paul Moore <paul@paul-moore.com> · 2018-04-19
[RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS · Richard Guy Briggs <hidden> · 2018-04-19
Re: [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS · Paul Moore <paul@paul-moore.com> · 2018-04-19
[RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Jonathan Corbet <corbet@lwn.net> · 2018-03-28
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-03-29
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Jonathan Corbet <corbet@lwn.net> · 2018-03-29
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-03-30
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-18
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Casey Schaufler <casey@schaufler-ca.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Casey Schaufler <casey@schaufler-ca.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-04-21
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-23
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-04-24
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-24
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-04-25
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-26
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-05-06
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Steve Grubb <hidden> · 2018-05-17
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-05-17
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Steve Grubb <hidden> · 2018-05-18
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-05-18
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Steve Grubb <hidden> · 2018-05-18
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-06-01
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Steve Grubb <hidden> · 2018-06-04
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-06-04
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-06-04
[RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls · Steve Grubb <hidden> · 2018-05-17
Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-05-17
Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls · Steve Grubb <hidden> · 2018-05-21
[RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records · Paul Moore <paul@paul-moore.com> · 2018-04-20
[RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark · Richard Guy Briggs <hidden> · 2018-04-19
[RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records · Paul Moore <paul@paul-moore.com> · 2018-04-20
[RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2018-04-20
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2018-04-21
[RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process · Steve Grubb <hidden> · 2018-05-21
Re: [RFC PATCH ghak32 V2 00/13] audit: implement container id · Steve Grubb <hidden> · 2018-05-30
Re: [RFC PATCH ghak32 V2 00/13] audit: implement container id · Richard Guy Briggs <hidden> · 2018-05-30

From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2018-04-19 00:41:40
Also in: cgroups, linux-fsdevel, lkml, netdev

On 4/18/2018 4:47 PM, Paul Moore wrote:

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs [off-list ref] wrote:

quoted

Implement the proc fs write to set the audit container ID of a process,
emitting an AUDIT_CONTAINER record to document the event.
...

diff --git a/include/linux/sched.h b/include/linux/sched.h
index d258826..1b82191 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h

@@ -796,6 +796,7 @@ struct task_struct {
 #ifdef CONFIG_AUDITSYSCALL
        kuid_t                          loginuid;
        unsigned int                    sessionid;
+       u64                             containerid;

This one line addition to the task_struct scares me the most of
anything in this patchset.  Why?  It's a field named "containerid" in
a perhaps one of the most widely used core kernel structures; the
possibilities for abuse are endless, and it's foolish to think we
would ever be able to adequately police this.

If we can get the LSM infrastructure managed task blobs from 
module stacking in ahead of this we could create a trivial security
module to manage this. It's not as if there aren't all sorts of
interactions between security modules and the audit system already.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help