Skip to content

Commit

Permalink
auditctl: add support for AUDIT_CONTID filter
Browse files Browse the repository at this point in the history
A u64 container identifier has been added to the kernel view of tasks.
This allows container orchestrators to label tasks with a unique
tamperproof identifier that gets inherited by its children to be able to
track the provenance of actions by a container.

Add support to libaudit and auditctl for the AUDIT_CONTID field to
filter based on audit container identifier.  This field is specified
with the "contid" field name on the command line.

Since it is a u64 and larger than any other numeric field, send it as a
string but do the appropriate conversions on each end in each direction.

See: linux-audit#40
See: linux-audit/audit-kernel#91
See: linux-audit/audit-testsuite#64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs <[email protected]>
  • Loading branch information
rgbriggs committed Dec 6, 2019
1 parent 5163395 commit c8ee53e
Show file tree
Hide file tree
Showing 5 changed files with 68 additions and 0 deletions.
3 changes: 3 additions & 0 deletions docs/auditctl.8
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,9 @@ Address family number as found in /usr/include/bits/socket.h. For example, IPv4
.B sessionid
User's login session ID
.TP
.B contid
Process' audit container ID
.TP
.B subj_user
Program's SE Linux User
.TP
Expand Down
1 change: 1 addition & 0 deletions lib/fieldtab.h
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ _S(AUDIT_OBJ_TYPE, "obj_type" )
_S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" )
_S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" )
_S(AUDIT_SESSIONID, "sessionid" )
_S(AUDIT_CONTID, "contid" )

_S(AUDIT_DEVMAJOR, "devmajor" )
_S(AUDIT_DEVMINOR, "devminor" )
Expand Down
36 changes: 36 additions & 0 deletions lib/libaudit.c
Original file line number Diff line number Diff line change
Expand Up @@ -1756,6 +1756,42 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (rule->values[rule->field_count] >= AF_MAX)
return -EAU_FIELDVALTOOBIG;
break;
case AUDIT_CONTID: {
unsigned long long val;

if ((audit_get_features() &
AUDIT_FEATURE_BITMAP_CONTAINERID) == 0)
return -EAU_FIELDNOSUPPORT;
if (flags != AUDIT_FILTER_EXCLUDE &&
flags != AUDIT_FILTER_USER &&
flags != AUDIT_FILTER_EXIT)
return -EAU_FIELDNOFILTER;
if (isdigit((char)*(v)))
val = strtoull(v, NULL, 0);
else if (strlen(v) >= 2 && *(v)=='-' &&
(isdigit((char)*(v+1))))
val = strtoll(v, NULL, 0);
else if (strcmp(v, "unset") == 0)
val = ULLONG_MAX;
else
return -EAU_FIELDVALNUM;
if (errno)
return -EAU_FIELDVALNUM;
vlen = sizeof(unsigned long long);
rule->values[rule->field_count] = vlen;
offset = rule->buflen;
rule->buflen += vlen;
*rulep = realloc(rule, sizeof(*rule) + rule->buflen);
if (*rulep == NULL) {
free(rule);
audit_msg(LOG_ERR, "Cannot realloc memory!\n");
return -3;
} else {
rule = *rulep;
}
*(unsigned long long*)(&rule->buf[offset]) = val;
break;
}
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
Expand Down
7 changes: 7 additions & 0 deletions lib/libaudit.h
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,9 @@ extern "C" {
#ifndef AUDIT_FEATURE_BITMAP_FILTER_FS
#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
#endif
#ifndef AUDIT_FEATURE_BITMAP_CONTAINERID
#define AUDIT_FEATURE_BITMAP_CONTAINERID 0x00000080
#endif

/* Defines for interfield comparison update */
#ifndef AUDIT_OBJ_UID
Expand All @@ -376,6 +379,10 @@ extern "C" {
#define AUDIT_FSTYPE 26
#endif

#ifndef AUDIT_CONTID
#define AUDIT_CONTID 27
#endif

#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
#endif
Expand Down
21 changes: 21 additions & 0 deletions src/auditctl-listing.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include "auditctl-listing.h"
#include "private.h"
#include "auditctl-llist.h"
Expand Down Expand Up @@ -460,6 +461,26 @@ static void print_rule(const struct audit_rule_data *r)
audit_operator_to_symbol(op),
audit_fstype_to_name(
r->values[i]));
} else if (field == AUDIT_CONTID) {
unsigned long long val;

if (r->values[i] == sizeof(unsigned long long)) {
val = *(unsigned long long*)(&r->buf[boffset]);

if (val != ULLONG_MAX)
printf(" -F %s%s%llu", name,
audit_operator_to_symbol(op),
val);
else
printf(" -F %s%s%s", name,
audit_operator_to_symbol(op),
"unset");
} else {
printf(" -F %s%s%s", name,
audit_operator_to_symbol(op),
"inval");
}
boffset += r->values[i];
} else {
// The default is signed decimal
printf(" -F %s%s%d", name,
Expand Down

0 comments on commit c8ee53e

Please sign in to comment.