[ghak90,V5,03/10] audit: read container ID of a process

Message ID	25543e3db4d8f3853119f92c09a60664555249a2.1552665316.git.rgb@redhat.com
State	Awaiting Upstream
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Richard Guy Briggs <rgb@redhat.com> To: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List <linux-audit@redhat.com>, linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Cc: Paul Moore <paul@paul-moore.com>, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com, nhorman@tuxdriver.com, Richard Guy Briggs <rgb@redhat.com> Subject: [PATCH ghak90 V5 03/10] audit: read container ID of a process Date: Fri, 15 Mar 2019 14:29:51 -0400 Message-Id: <25543e3db4d8f3853119f92c09a60664555249a2.1552665316.git.rgb@redhat.com> In-Reply-To: <cover.1552665316.git.rgb@redhat.com> References: <cover.1552665316.git.rgb@redhat.com> In-Reply-To: <cover.1552665316.git.rgb@redhat.com> References: <cover.1552665316.git.rgb@redhat.com> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	audit: implement container identifier \| expand [ghak90,V5,00/10] audit: implement container identifier [ghak90,V5,01/10] audit: collect audit task parameters [ghak90,V5,02/10] audit: add container id [ghak90,V5,03/10] audit: read container ID of a process [ghak90,V5,04/10] audit: log container info of syscalls [ghak90,V5,05/10] audit: add containerid support for ptrace and signals [ghak90,V5,06/10] audit: add support for non-syscall auxiliary records [ghak90,V5,07/10] audit: add containerid support for user records [ghak90,V5,08/10] audit: add containerid filtering [ghak90,V5,09/10] audit: add support for containerid to network namespaces [ghak90,V5,10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS

Richard Guy Briggs March 15, 2019, 6:29 p.m. UTC

Add support for reading the audit container identifier from the proc
filesystem.

This is a read from the proc entry of the form
/proc/PID/audit_containerid where PID is the process ID of the task
whose audit container identifier is sought.

The read expects up to a u64 value (unset: 18446744073709551615).

This read requires CAP_AUDIT_CONTROL.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
---
 fs/proc/base.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

Neil Horman March 18, 2019, 11:10 a.m. UTC | #1

On Fri, Mar 15, 2019 at 02:29:51PM -0400, Richard Guy Briggs wrote:
> Add support for reading the audit container identifier from the proc
> filesystem.
> 
> This is a read from the proc entry of the form
> /proc/PID/audit_containerid where PID is the process ID of the task
> whose audit container identifier is sought.
> 
> The read expects up to a u64 value (unset: 18446744073709551615).
> 
> This read requires CAP_AUDIT_CONTROL.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> Acked-by: Serge Hallyn <serge@hallyn.com>
> ---
>  fs/proc/base.c | 23 +++++++++++++++++++++--
>  1 file changed, 21 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 2505c46c8701..0b833cbdf5b6 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -1295,6 +1295,24 @@ static ssize_t proc_sessionid_read(struct file * file, char __user * buf,
>  	.llseek		= generic_file_llseek,
>  };
>  
> +static ssize_t proc_contid_read(struct file *file, char __user *buf,
> +				  size_t count, loff_t *ppos)
> +{
> +	struct inode *inode = file_inode(file);
> +	struct task_struct *task = get_proc_task(inode);
> +	ssize_t length;
> +	char tmpbuf[TMPBUFLEN*2];
> +
Sorry, didn't notice this previously, but..
Why *2 here?  Its not wrong per-se, but would it be better to just change
TMPBUFLEN to be 22 bytes unilaterally?  Its only ever used on stack calls that
arent that deep, and then you won't have to think about adjusting this call site
if you ever change the value of TMPBUFLEN in the future.

I'm fine with doing this in another patch later, but it seems like a worthwhile
cleanup

functionality looks good beyond that nit.

> +	if (!task)
> +		return -ESRCH;
> +	/* if we don't have caps, reject */
> +	if (!capable(CAP_AUDIT_CONTROL))
> +		return -EPERM;
> +	length = scnprintf(tmpbuf, TMPBUFLEN*2, "%llu", audit_get_contid(task));
> +	put_task_struct(task);
> +	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
> +}
> +
>  static ssize_t proc_contid_write(struct file *file, const char __user *buf,
>  				   size_t count, loff_t *ppos)
>  {
> @@ -1325,6 +1343,7 @@ static ssize_t proc_contid_write(struct file *file, const char __user *buf,
>  }
>  
>  static const struct file_operations proc_contid_operations = {
> +	.read		= proc_contid_read,
>  	.write		= proc_contid_write,
>  	.llseek		= generic_file_llseek,
>  };
> @@ -3039,7 +3058,7 @@ static int proc_stack_depth(struct seq_file *m, struct pid_namespace *ns,
>  #ifdef CONFIG_AUDIT
>  	REG("loginuid",   S_IWUSR|S_IRUGO, proc_loginuid_operations),
>  	REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> -	REG("audit_containerid", S_IWUSR, proc_contid_operations),
> +	REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
>  #endif
>  #ifdef CONFIG_FAULT_INJECTION
>  	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> @@ -3428,7 +3447,7 @@ static int proc_tid_comm_permission(struct inode *inode, int mask)
>  #ifdef CONFIG_AUDIT
>  	REG("loginuid",  S_IWUSR|S_IRUGO, proc_loginuid_operations),
>  	REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> -	REG("audit_containerid", S_IWUSR, proc_contid_operations),
> +	REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
>  #endif
>  #ifdef CONFIG_FAULT_INJECTION
>  	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> -- 
> 1.8.3.1
> 
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>

Richard Guy Briggs March 18, 2019, 6:17 p.m. UTC | #2

On 2019-03-18 07:10, Neil Horman wrote:
> On Fri, Mar 15, 2019 at 02:29:51PM -0400, Richard Guy Briggs wrote:
> > Add support for reading the audit container identifier from the proc
> > filesystem.
> > 
> > This is a read from the proc entry of the form
> > /proc/PID/audit_containerid where PID is the process ID of the task
> > whose audit container identifier is sought.
> > 
> > The read expects up to a u64 value (unset: 18446744073709551615).
> > 
> > This read requires CAP_AUDIT_CONTROL.
> > 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > Acked-by: Serge Hallyn <serge@hallyn.com>
> > ---
> >  fs/proc/base.c | 23 +++++++++++++++++++++--
> >  1 file changed, 21 insertions(+), 2 deletions(-)
> > 
> > diff --git a/fs/proc/base.c b/fs/proc/base.c
> > index 2505c46c8701..0b833cbdf5b6 100644
> > --- a/fs/proc/base.c
> > +++ b/fs/proc/base.c
> > @@ -1295,6 +1295,24 @@ static ssize_t proc_sessionid_read(struct file * file, char __user * buf,
> >  	.llseek		= generic_file_llseek,
> >  };
> >  
> > +static ssize_t proc_contid_read(struct file *file, char __user *buf,
> > +				  size_t count, loff_t *ppos)
> > +{
> > +	struct inode *inode = file_inode(file);
> > +	struct task_struct *task = get_proc_task(inode);
> > +	ssize_t length;
> > +	char tmpbuf[TMPBUFLEN*2];
> > +
> Sorry, didn't notice this previously, but..
> Why *2 here?  Its not wrong per-se, but would it be better to just change
> TMPBUFLEN to be 22 bytes unilaterally?  Its only ever used on stack calls that
> arent that deep, and then you won't have to think about adjusting this call site
> if you ever change the value of TMPBUFLEN in the future.

TMPBUFLEN is 11 to accomodate a decimal representation of a u32 with
terminating NULL.  Since the contid is a u64, it was least disruptive
and made sense to me to just double it.  I could define a TMPBUFLEN2 to
be 21 if you prefer?

> I'm fine with doing this in another patch later, but it seems like a worthwhile
> cleanup
> 
> functionality looks good beyond that nit.
> 
> > +	if (!task)
> > +		return -ESRCH;
> > +	/* if we don't have caps, reject */
> > +	if (!capable(CAP_AUDIT_CONTROL))
> > +		return -EPERM;
> > +	length = scnprintf(tmpbuf, TMPBUFLEN*2, "%llu", audit_get_contid(task));
> > +	put_task_struct(task);
> > +	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
> > +}
> > +
> >  static ssize_t proc_contid_write(struct file *file, const char __user *buf,
> >  				   size_t count, loff_t *ppos)
> >  {
> > @@ -1325,6 +1343,7 @@ static ssize_t proc_contid_write(struct file *file, const char __user *buf,
> >  }
> >  
> >  static const struct file_operations proc_contid_operations = {
> > +	.read		= proc_contid_read,
> >  	.write		= proc_contid_write,
> >  	.llseek		= generic_file_llseek,
> >  };
> > @@ -3039,7 +3058,7 @@ static int proc_stack_depth(struct seq_file *m, struct pid_namespace *ns,
> >  #ifdef CONFIG_AUDIT
> >  	REG("loginuid",   S_IWUSR|S_IRUGO, proc_loginuid_operations),
> >  	REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> > -	REG("audit_containerid", S_IWUSR, proc_contid_operations),
> > +	REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
> >  #endif
> >  #ifdef CONFIG_FAULT_INJECTION
> >  	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> > @@ -3428,7 +3447,7 @@ static int proc_tid_comm_permission(struct inode *inode, int mask)
> >  #ifdef CONFIG_AUDIT
> >  	REG("loginuid",  S_IWUSR|S_IRUGO, proc_loginuid_operations),
> >  	REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> > -	REG("audit_containerid", S_IWUSR, proc_contid_operations),
> > +	REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
> >  #endif
> >  #ifdef CONFIG_FAULT_INJECTION
> >  	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> > -- 
> > 1.8.3.1
> > 
> > 
> Acked-by: Neil Horman <nhorman@tuxdriver.com>
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Neil Horman March 18, 2019, 6:48 p.m. UTC | #3

On Mon, Mar 18, 2019 at 02:17:21PM -0400, Richard Guy Briggs wrote:
> On 2019-03-18 07:10, Neil Horman wrote:
> > On Fri, Mar 15, 2019 at 02:29:51PM -0400, Richard Guy Briggs wrote:
> > > Add support for reading the audit container identifier from the proc
> > > filesystem.
> > > 
> > > This is a read from the proc entry of the form
> > > /proc/PID/audit_containerid where PID is the process ID of the task
> > > whose audit container identifier is sought.
> > > 
> > > The read expects up to a u64 value (unset: 18446744073709551615).
> > > 
> > > This read requires CAP_AUDIT_CONTROL.
> > > 
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > Acked-by: Serge Hallyn <serge@hallyn.com>
> > > ---
> > >  fs/proc/base.c | 23 +++++++++++++++++++++--
> > >  1 file changed, 21 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/fs/proc/base.c b/fs/proc/base.c
> > > index 2505c46c8701..0b833cbdf5b6 100644
> > > --- a/fs/proc/base.c
> > > +++ b/fs/proc/base.c
> > > @@ -1295,6 +1295,24 @@ static ssize_t proc_sessionid_read(struct file * file, char __user * buf,
> > >  	.llseek		= generic_file_llseek,
> > >  };
> > >  
> > > +static ssize_t proc_contid_read(struct file *file, char __user *buf,
> > > +				  size_t count, loff_t *ppos)
> > > +{
> > > +	struct inode *inode = file_inode(file);
> > > +	struct task_struct *task = get_proc_task(inode);
> > > +	ssize_t length;
> > > +	char tmpbuf[TMPBUFLEN*2];
> > > +
> > Sorry, didn't notice this previously, but..
> > Why *2 here?  Its not wrong per-se, but would it be better to just change
> > TMPBUFLEN to be 22 bytes unilaterally?  Its only ever used on stack calls that
> > arent that deep, and then you won't have to think about adjusting this call site
> > if you ever change the value of TMPBUFLEN in the future.
> 
> TMPBUFLEN is 11 to accomodate a decimal representation of a u32 with
> terminating NULL.  Since the contid is a u64, it was least disruptive
> and made sense to me to just double it.  I could define a TMPBUFLEN2 to
> be 21 if you prefer?
> 
I'm not adamant on any particular change, just noticing the inconsistency.  I
usually write macro buffer sizes to accomodate the largest string I plan to
hold, so it can be used ubiquitously when the overage is small and transiently
allocated, but if you feel like the space would be better conserved a TMPBUFLEN/
TMPBUFLEN2 approach would be fine (or a TMPBUFLENU32 / TMPBUFLENU64 macro set).

Its not anything that needs fixing now, just an observation for clean up at some
future point.
Neil

> > I'm fine with doing this in another patch later, but it seems like a worthwhile
> > cleanup
> > 
> > functionality looks good beyond that nit.
> > 
> > > +	if (!task)
> > > +		return -ESRCH;
> > > +	/* if we don't have caps, reject */
> > > +	if (!capable(CAP_AUDIT_CONTROL))
> > > +		return -EPERM;
> > > +	length = scnprintf(tmpbuf, TMPBUFLEN*2, "%llu", audit_get_contid(task));
> > > +	put_task_struct(task);
> > > +	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
> > > +}
> > > +
> > >  static ssize_t proc_contid_write(struct file *file, const char __user *buf,
> > >  				   size_t count, loff_t *ppos)
> > >  {
> > > @@ -1325,6 +1343,7 @@ static ssize_t proc_contid_write(struct file *file, const char __user *buf,
> > >  }
> > >  
> > >  static const struct file_operations proc_contid_operations = {
> > > +	.read		= proc_contid_read,
> > >  	.write		= proc_contid_write,
> > >  	.llseek		= generic_file_llseek,
> > >  };
> > > @@ -3039,7 +3058,7 @@ static int proc_stack_depth(struct seq_file *m, struct pid_namespace *ns,
> > >  #ifdef CONFIG_AUDIT
> > >  	REG("loginuid",   S_IWUSR|S_IRUGO, proc_loginuid_operations),
> > >  	REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> > > -	REG("audit_containerid", S_IWUSR, proc_contid_operations),
> > > +	REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
> > >  #endif
> > >  #ifdef CONFIG_FAULT_INJECTION
> > >  	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> > > @@ -3428,7 +3447,7 @@ static int proc_tid_comm_permission(struct inode *inode, int mask)
> > >  #ifdef CONFIG_AUDIT
> > >  	REG("loginuid",  S_IWUSR|S_IRUGO, proc_loginuid_operations),
> > >  	REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> > > -	REG("audit_containerid", S_IWUSR, proc_contid_operations),
> > > +	REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
> > >  #endif
> > >  #ifdef CONFIG_FAULT_INJECTION
> > >  	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> > > -- 
> > > 1.8.3.1
> > > 
> > > 
> > Acked-by: Neil Horman <nhorman@tuxdriver.com>
> > 
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>

Richard Guy Briggs March 18, 2019, 6:54 p.m. UTC | #4

On 2019-03-18 14:48, Neil Horman wrote:
> On Mon, Mar 18, 2019 at 02:17:21PM -0400, Richard Guy Briggs wrote:
> > On 2019-03-18 07:10, Neil Horman wrote:
> > > On Fri, Mar 15, 2019 at 02:29:51PM -0400, Richard Guy Briggs wrote:
> > > > Add support for reading the audit container identifier from the proc
> > > > filesystem.
> > > > 
> > > > This is a read from the proc entry of the form
> > > > /proc/PID/audit_containerid where PID is the process ID of the task
> > > > whose audit container identifier is sought.
> > > > 
> > > > The read expects up to a u64 value (unset: 18446744073709551615).
> > > > 
> > > > This read requires CAP_AUDIT_CONTROL.
> > > > 
> > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > > Acked-by: Serge Hallyn <serge@hallyn.com>
> > > > ---
> > > >  fs/proc/base.c | 23 +++++++++++++++++++++--
> > > >  1 file changed, 21 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/fs/proc/base.c b/fs/proc/base.c
> > > > index 2505c46c8701..0b833cbdf5b6 100644
> > > > --- a/fs/proc/base.c
> > > > +++ b/fs/proc/base.c
> > > > @@ -1295,6 +1295,24 @@ static ssize_t proc_sessionid_read(struct file * file, char __user * buf,
> > > >  	.llseek		= generic_file_llseek,
> > > >  };
> > > >  
> > > > +static ssize_t proc_contid_read(struct file *file, char __user *buf,
> > > > +				  size_t count, loff_t *ppos)
> > > > +{
> > > > +	struct inode *inode = file_inode(file);
> > > > +	struct task_struct *task = get_proc_task(inode);
> > > > +	ssize_t length;
> > > > +	char tmpbuf[TMPBUFLEN*2];
> > > > +
> > > Sorry, didn't notice this previously, but..
> > > Why *2 here?  Its not wrong per-se, but would it be better to just change
> > > TMPBUFLEN to be 22 bytes unilaterally?  Its only ever used on stack calls that
> > > arent that deep, and then you won't have to think about adjusting this call site
> > > if you ever change the value of TMPBUFLEN in the future.
> > 
> > TMPBUFLEN is 11 to accomodate a decimal representation of a u32 with
> > terminating NULL.  Since the contid is a u64, it was least disruptive
> > and made sense to me to just double it.  I could define a TMPBUFLEN2 to
> > be 21 if you prefer?
> > 
> I'm not adamant on any particular change, just noticing the inconsistency.  I
> usually write macro buffer sizes to accomodate the largest string I plan to
> hold, so it can be used ubiquitously when the overage is small and transiently
> allocated, but if you feel like the space would be better conserved a TMPBUFLEN/
> TMPBUFLEN2 approach would be fine (or a TMPBUFLENU32 / TMPBUFLENU64 macro set).

Ok, I see your point about it being transient.  I'll fix it up if there
is a respin.

> Its not anything that needs fixing now, just an observation for clean up at some
> future point.
> Neil
> 
> > > I'm fine with doing this in another patch later, but it seems like a worthwhile
> > > cleanup
> > > 
> > > functionality looks good beyond that nit.
> > > 
> > > > +	if (!task)
> > > > +		return -ESRCH;
> > > > +	/* if we don't have caps, reject */
> > > > +	if (!capable(CAP_AUDIT_CONTROL))
> > > > +		return -EPERM;
> > > > +	length = scnprintf(tmpbuf, TMPBUFLEN*2, "%llu", audit_get_contid(task));
> > > > +	put_task_struct(task);
> > > > +	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
> > > > +}
> > > > +
> > > >  static ssize_t proc_contid_write(struct file *file, const char __user *buf,
> > > >  				   size_t count, loff_t *ppos)
> > > >  {
> > > > @@ -1325,6 +1343,7 @@ static ssize_t proc_contid_write(struct file *file, const char __user *buf,
> > > >  }
> > > >  
> > > >  static const struct file_operations proc_contid_operations = {
> > > > +	.read		= proc_contid_read,
> > > >  	.write		= proc_contid_write,
> > > >  	.llseek		= generic_file_llseek,
> > > >  };
> > > > @@ -3039,7 +3058,7 @@ static int proc_stack_depth(struct seq_file *m, struct pid_namespace *ns,
> > > >  #ifdef CONFIG_AUDIT
> > > >  	REG("loginuid",   S_IWUSR|S_IRUGO, proc_loginuid_operations),
> > > >  	REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> > > > -	REG("audit_containerid", S_IWUSR, proc_contid_operations),
> > > > +	REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
> > > >  #endif
> > > >  #ifdef CONFIG_FAULT_INJECTION
> > > >  	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> > > > @@ -3428,7 +3447,7 @@ static int proc_tid_comm_permission(struct inode *inode, int mask)
> > > >  #ifdef CONFIG_AUDIT
> > > >  	REG("loginuid",  S_IWUSR|S_IRUGO, proc_loginuid_operations),
> > > >  	REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> > > > -	REG("audit_containerid", S_IWUSR, proc_contid_operations),
> > > > +	REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
> > > >  #endif
> > > >  #ifdef CONFIG_FAULT_INJECTION
> > > >  	REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> > > > -- 
> > > > 1.8.3.1
> > > > 
> > > Acked-by: Neil Horman <nhorman@tuxdriver.com>
> > 
> > - RGB

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Ondrej Mosnacek March 27, 2019, 8:44 p.m. UTC | #5

On Fri, Mar 15, 2019 at 7:33 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> Add support for reading the audit container identifier from the proc
> filesystem.
>
> This is a read from the proc entry of the form
> /proc/PID/audit_containerid where PID is the process ID of the task
> whose audit container identifier is sought.
>
> The read expects up to a u64 value (unset: 18446744073709551615).
>
> This read requires CAP_AUDIT_CONTROL.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> Acked-by: Serge Hallyn <serge@hallyn.com>

Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>

> ---
>  fs/proc/base.c | 23 +++++++++++++++++++++--
>  1 file changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 2505c46c8701..0b833cbdf5b6 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -1295,6 +1295,24 @@ static ssize_t proc_sessionid_read(struct file * file, char __user * buf,
>         .llseek         = generic_file_llseek,
>  };
>
> +static ssize_t proc_contid_read(struct file *file, char __user *buf,
> +                                 size_t count, loff_t *ppos)
> +{
> +       struct inode *inode = file_inode(file);
> +       struct task_struct *task = get_proc_task(inode);
> +       ssize_t length;
> +       char tmpbuf[TMPBUFLEN*2];
> +
> +       if (!task)
> +               return -ESRCH;
> +       /* if we don't have caps, reject */
> +       if (!capable(CAP_AUDIT_CONTROL))
> +               return -EPERM;
> +       length = scnprintf(tmpbuf, TMPBUFLEN*2, "%llu", audit_get_contid(task));
> +       put_task_struct(task);
> +       return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
> +}
> +
>  static ssize_t proc_contid_write(struct file *file, const char __user *buf,
>                                    size_t count, loff_t *ppos)
>  {
> @@ -1325,6 +1343,7 @@ static ssize_t proc_contid_write(struct file *file, const char __user *buf,
>  }
>
>  static const struct file_operations proc_contid_operations = {
> +       .read           = proc_contid_read,
>         .write          = proc_contid_write,
>         .llseek         = generic_file_llseek,
>  };
> @@ -3039,7 +3058,7 @@ static int proc_stack_depth(struct seq_file *m, struct pid_namespace *ns,
>  #ifdef CONFIG_AUDIT
>         REG("loginuid",   S_IWUSR|S_IRUGO, proc_loginuid_operations),
>         REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> -       REG("audit_containerid", S_IWUSR, proc_contid_operations),
> +       REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
>  #endif
>  #ifdef CONFIG_FAULT_INJECTION
>         REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> @@ -3428,7 +3447,7 @@ static int proc_tid_comm_permission(struct inode *inode, int mask)
>  #ifdef CONFIG_AUDIT
>         REG("loginuid",  S_IWUSR|S_IRUGO, proc_loginuid_operations),
>         REG("sessionid",  S_IRUGO, proc_sessionid_operations),
> -       REG("audit_containerid", S_IWUSR, proc_contid_operations),
> +       REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
>  #endif
>  #ifdef CONFIG_FAULT_INJECTION
>         REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
> --
> 1.8.3.1
>

[ghak90,V5,03/10] audit: read container ID of a process

Commit Message

Comments

Patch