RFE: add a method to filter audit events based on audit container identifier #91
Assignees
Labels
Comments
This was referenced Jun 1, 2018
|
Posted v3 kernel patchset upstream: |
|
posted v4 kernel patchset upstream: |
|
Test case v1 PR: linux-audit/audit-testsuite#83 |
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
May 28, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
May 31, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 19, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Sep 20, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 6, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 31, 2019
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
|
V8 post: |
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 3, 2020
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Jun 26, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jun 27, 2020
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Nov 26, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
rgbriggs
added a commit
to rgbriggs/audit-userspace
that referenced
this issue
Dec 18, 2020
A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for the AUDIT_CONTID field to filter based on audit container identifier. This field is specified with the "contid" field name on the command line. Since it is a u64 and larger than any other numeric field, send it as a string but do the appropriate conversions on each end in each direction. See: linux-audit#40 See: linux-audit/audit-kernel#91 See: linux-audit/audit-testsuite#64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Dec 22, 2020
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
|
2020-12-21 |
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jan 12, 2021
Implement audit container identifier filtering using the AUDIT_CONTID field name to send an 8-character string representing a u64 since the value field is only u32. Sending it as two u32 was considered, but gathering and comparing two fields was more complex. The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID. Please see the github audit kernel issue for the contid filter feature: linux-audit/audit-kernel#91 Please see the github audit userspace issue for filter additions: linux-audit/audit-userspace#40 Please see the github audit testsuiite issue for the test case: linux-audit/audit-testsuite#64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <[email protected]> Acked-by: Serge Hallyn <[email protected]> Acked-by: Neil Horman <[email protected]> Reviewed-by: Ondrej Mosnacek <[email protected]>
|
was this ever mainelined? |
|
This is ongoing work. |
pcmoore
pushed a commit
that referenced
this issue
Oct 3, 2022
storvsc_error_wq workqueue should not be marked as WQ_MEM_RECLAIM as it doesn't need to make forward progress under memory pressure. Marking this workqueue as WQ_MEM_RECLAIM may cause deadlock while flushing a non-WQ_MEM_RECLAIM workqueue. In the current state it causes the following warning: [ 14.506347] ------------[ cut here ]------------ [ 14.506354] workqueue: WQ_MEM_RECLAIM storvsc_error_wq_0:storvsc_remove_lun is flushing !WQ_MEM_RECLAIM events_freezable_power_:disk_events_workfn [ 14.506360] WARNING: CPU: 0 PID: 8 at <-snip->kernel/workqueue.c:2623 check_flush_dependency+0xb5/0x130 [ 14.506390] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.4.0-1086-azure #91~18.04.1-Ubuntu [ 14.506391] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022 [ 14.506393] Workqueue: storvsc_error_wq_0 storvsc_remove_lun [ 14.506395] RIP: 0010:check_flush_dependency+0xb5/0x130 <-snip-> [ 14.506408] Call Trace: [ 14.506412] __flush_work+0xf1/0x1c0 [ 14.506414] __cancel_work_timer+0x12f/0x1b0 [ 14.506417] ? kernfs_put+0xf0/0x190 [ 14.506418] cancel_delayed_work_sync+0x13/0x20 [ 14.506420] disk_block_events+0x78/0x80 [ 14.506421] del_gendisk+0x3d/0x2f0 [ 14.506423] sr_remove+0x28/0x70 [ 14.506427] device_release_driver_internal+0xef/0x1c0 [ 14.506428] device_release_driver+0x12/0x20 [ 14.506429] bus_remove_device+0xe1/0x150 [ 14.506431] device_del+0x167/0x380 [ 14.506432] __scsi_remove_device+0x11d/0x150 [ 14.506433] scsi_remove_device+0x26/0x40 [ 14.506434] storvsc_remove_lun+0x40/0x60 [ 14.506436] process_one_work+0x209/0x400 [ 14.506437] worker_thread+0x34/0x400 [ 14.506439] kthread+0x121/0x140 [ 14.506440] ? process_one_work+0x400/0x400 [ 14.506441] ? kthread_park+0x90/0x90 [ 14.506443] ret_from_fork+0x35/0x40 [ 14.506445] ---[ end trace 2d9633159fdc6ee7 ]--- Link: https://lore.kernel.org/r/[email protected] Fixes: 436ad94 ("scsi: storvsc: Allow only one remove lun work item to be issued per lun") Reviewed-by: Michael Kelley <[email protected]> Signed-off-by: Saurabh Sengar <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add a method to filter audit events based on audit container identifier.
Add a u64 field
AUDIT_CONTIDto be able to specify an audit container identifier to be used to filter audit events.Depends: #90
Depends: linux-audit/audit-userspace#40
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
The text was updated successfully, but these errors were encountered: