Re: [RFC PATCH ghak90 (was ghak32) V3 05/10] audit: add containerid support for tty_audit
From: Paul Moore <paul@paul-moore.com>
Date: 2018-07-24 21:45:07
Also in:
cgroups, linux-api, linux-fsdevel, netdev
On Tue, Jul 24, 2018 at 10:10 AM Richard Guy Briggs [off-list ref] wrote:
On 2018-07-20 18:14, Paul Moore wrote:quoted
On Wed, Jun 6, 2018 at 1:04 PM Richard Guy Briggs [off-list ref] wrote:quoted
Add audit container identifier auxiliary record to tty logging rule event standalone records. Signed-off-by: Richard Guy Briggs <redacted> --- drivers/tty/tty_audit.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c index e30aa6b..66bd850 100644 --- a/drivers/tty/tty_audit.c +++ b/drivers/tty/tty_audit.c@@ -66,8 +66,9 @@ static void tty_audit_log(const char *description, dev_t dev, uid_t uid = from_kuid(&init_user_ns, task_uid(tsk)); uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(tsk)); unsigned int sessionid = audit_get_sessionid(tsk); + struct audit_context *context = audit_alloc_local();We should be using current's audit_context in tty_audit_log(). Actually, we should probably just get rid of the tsk variable in tty_audit_log() and use current directly to make things a bit more obvious.Ok, agreed. At this point, it it current passed in anyways so no harm other than efficiency.quoted
<time passes> I did some digging and I have a two year old, half-baked patch that cleans up this tsk/current usage as well as a few others. I just rebased it against audit/next and surprisingly it seems to pass a basic smoke test (kernel boots and audit-testsuite passes); I'll post it to the list as a RFC once I'm done reviewing these patches.I'll leave this patch the way it is since there should be no difference and trust this other patch will work its way through the system and solve that.
Yep, that's a merge issue I'll deal with when we get to that point. Although, I would expect that when you post an updated patchset that it applies cleanly to the then-current audit/next tree (or Linus' tree, but audit/next is preferable). In other words, please rebase your development branch before doing your final dev testing and posting.
quoted
quoted
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY); + ab = audit_log_start(context, GFP_KERNEL, AUDIT_TTY); if (ab) { char name[sizeof(tsk->comm)];@@ -80,6 +81,8 @@ static void tty_audit_log(const char *description, dev_t dev, audit_log_n_hex(ab, data, size); audit_log_end(ab); } + audit_log_contid(context, "tty", audit_get_contid(tsk)); + audit_free_context(context); }-- paul moore www.paul-moore.com- RGB -- Richard Guy Briggs [off-list ref] Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
-- paul moore www.paul-moore.com