Thread (69 messages) 69 messages, 5 authors, 2018-06-04

Re: [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records

From: Paul Moore <paul@paul-moore.com>
Date: 2018-04-20 16:11:09
Also in: cgroups, linux-fsdevel, lkml, netdev 

On Thu, Apr 19, 2018 at 8:42 PM, Richard Guy Briggs [off-list ref] wrote:
On 2018-04-18 21:31, Paul Moore wrote:
quoted
On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs [off-list ref] wrote:
quoted
Add container ID auxiliary records to secure computing and abnormal end
standalone records.

Signed-off-by: Richard Guy Briggs <redacted>
---
 kernel/auditsc.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 7103d23..2f02ed9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2571,6 +2571,7 @@ static void audit_log_task(struct audit_buffer *ab)
 void audit_core_dumps(long signr)
 {
        struct audit_buffer *ab;
+       struct audit_context *context = audit_alloc_local();
Looking quickly at do_coredump() I *believe* we can use current here.
quoted
        if (!audit_enabled)
                return;
@@ -2578,19 +2579,22 @@ void audit_core_dumps(long signr)
        if (signr == SIGQUIT)   /* don't care for those */
                return;

-       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+       ab = audit_log_start(context, GFP_KERNEL, AUDIT_ANOM_ABEND);
        if (unlikely(!ab))
                return;
        audit_log_task(ab);
        audit_log_format(ab, " sig=%ld res=1", signr);
        audit_log_end(ab);
+       audit_log_container_info(context, "abend", audit_get_containerid(current));
+       audit_free_context(context);
 }

 void __audit_seccomp(unsigned long syscall, long signr, int code)
 {
        struct audit_buffer *ab;
+       struct audit_context *context = audit_alloc_local();
We can definitely use current here.
Ok, so both syscall aux records.  That elimintes this patch from the
set, can go in independently.
Yep.  It should help shrink the audit container ID patchset and
perhaps more importantly it should put some distance between the
connected-record debate and the audit container ID debate.

I understand we are going to need a "local" context for some things,
the network packets are probably the best example, but whenever
possible I would like to connect these records back to a task's
context.

-- 
paul moore
www.paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help