Received: by 10.192.165.148 with SMTP id m20csp663546imm; Fri, 20 Apr 2018 13:12:16 -0700 (PDT) X-Google-Smtp-Source: AIpwx48mUVE8bMejk+NAMe/9FKl+B0eeE5WWbCjjkPueCqvNl06N5K7tm/nFiCoIMEOU5Z2qKm/9 X-Received: by 10.98.20.195 with SMTP id 186mr4021060pfu.92.1524255136384; Fri, 20 Apr 2018 13:12:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524255136; cv=none; d=google.com; s=arc-20160816; b=LNQMeZ6eTzvQu5R9azW+5Wv0vIJSsb64nIFWVbNwjThlj1+NtsYktPAjeQv2YIoNgD LBAVuH+aS4tScHAjPAojAp9SaNVIirVLNEMO4+P0lOpz/03uMlBLznmhbyCTzgo51XKC bpifqMZ188a54AlXLDKeijdMJZtSjt3fvt9M8ZbpvF98mwgB1NskvdjCqtkEJGOHBMGq cJ5SKSnY4bgmX+dTfOHda7kw+BMr9q/WdBOVnTOaBUTezr5RLE5VjI+JMWv06DbYkxC8 wwrqPrnh0gI2oYEuTlJIypfS5lHeVL1bQi6V7O58syiQ9uqUQ2GdNyNpUKzWRD2KzPhp 9vaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=v1ogZcqjo5Nru/w7zcBWfdt9skid4/5dotFH1JcVnAo=; b=MJErSKzfbdzooY1mHRr/XgkNAljF7m6DPe6daFJw/2VWFBs2ec9+8SiU/2bcMeYnBr 7nnE/2pclYzHQXs009uDHmPtLHnoX4m9WPtIpGo90ZyGjOxbc0TPheIXJ8tScersIG5h e1Ew75TVP7Bc8kVMlZ2OF52RuPtnq0N60KFbaho/6U6C+7YiXhMa6drlZhxMh4ZgAD0L xSEQR/eul2CpERp0ExAP1CzEeuaNWDIFj+nVivPajmOTS4XxdmJH40oawbm5sgHz7aOJ cDoN0d9nwzXY6waosHRyQU10jO3ou/HKP4aPaxOVJY83eUAzYkQXvaVY6Ft5R2MszX4B 6DAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 70-v6si6224659ple.372.2018.04.20.13.11.38; Fri, 20 Apr 2018 13:12:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752629AbeDTUIl (ORCPT + 99 others); Fri, 20 Apr 2018 16:08:41 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:56422 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750927AbeDTUIj (ORCPT ); Fri, 20 Apr 2018 16:08:39 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4F4C68182D1E; Fri, 20 Apr 2018 20:08:38 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 06E1FAFD72; Fri, 20 Apr 2018 20:08:23 +0000 (UTC) Date: Fri, 20 Apr 2018 16:02:26 -0400 From: Richard Guy Briggs To: Paul Moore Cc: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, ebiederm@xmission.com, luto@kernel.org, jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com, viro@zeniv.linux.org.uk, simo@redhat.com, Eric Paris , serge@hallyn.com Subject: Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces Message-ID: <20180420200226.7tyxzuovdbgclw3m@madcap2.tricolour.ca> References: <11b43a498e768a14764594c808a96b34d52be0af.1521179281.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20171027 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Fri, 20 Apr 2018 20:08:38 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Fri, 20 Apr 2018 20:08:38 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-04-18 21:46, Paul Moore wrote: > On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: > > Audit events could happen in a network namespace outside of a task > > context due to packets received from the net that trigger an auditing > > rule prior to being associated with a running task. The network > > namespace could in use by multiple containers by association to the > > tasks in that network namespace. We still want a way to attribute > > these events to any potential containers. Keep a list per network > > namespace to track these container identifiiers. > > > > Add/increment the container identifier on: > > - initial setting of the container id via /proc > > - clone/fork call that inherits a container identifier > > - unshare call that inherits a container identifier > > - setns call that inherits a container identifier > > Delete/decrement the container identifier on: > > - an inherited container id dropped when child set > > - process exit > > - unshare call that drops a net namespace > > - setns call that drops a net namespace > > > > See: https://github.com/linux-audit/audit-kernel/issues/32 > > See: https://github.com/linux-audit/audit-testsuite/issues/64 > > Signed-off-by: Richard Guy Briggs > > --- > > include/linux/audit.h | 7 +++++++ > > include/net/net_namespace.h | 12 ++++++++++++ > > kernel/auditsc.c | 9 ++++++--- > > kernel/nsproxy.c | 6 ++++++ > > net/core/net_namespace.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ > > 5 files changed, 76 insertions(+), 3 deletions(-) > > ... > > > diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h > > index 0490084..343a428 100644 > > --- a/include/net/net_namespace.h > > +++ b/include/net/net_namespace.h > > @@ -33,6 +33,7 @@ > > #include > > #include > > #include > > +#include > > > > struct user_namespace; > > struct proc_dir_entry; > > @@ -150,6 +151,7 @@ struct net { > > #endif > > struct sock *diag_nlsk; > > atomic_t fnhe_genid; > > + struct list_head audit_containerid; > > } __randomize_layout; > > We talked about this briefly off-list, you should be using audit_net > and the net_generic mechanism instead of this. > > > #include > > @@ -301,6 +303,16 @@ static inline struct net *read_pnet(const possible_net_t *pnet) > > #define __net_initconst __initconst > > #endif > > > > +#ifdef CONFIG_NET_NS > > +void net_add_audit_containerid(struct net *net, u64 containerid); > > +void net_del_audit_containerid(struct net *net, u64 containerid); > > +#else > > +static inline void net_add_audit_containerid(struct net *, u64) > > +{ } > > +static inline void net_del_audit_containerid(struct net *, u64) > > +{ } > > +#endif > > + > > int peernet2id_alloc(struct net *net, struct net *peer); > > int peernet2id(struct net *net, struct net *peer); > > bool peernet_has_id(struct net *net, struct net *peer); > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 2f02ed9..208da962 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -75,6 +75,7 @@ > > #include > > #include > > #include > > +#include > > > > #include "audit.h" > > > > @@ -2175,16 +2176,18 @@ static void audit_log_set_containerid(struct task_struct *task, u64 oldcontainer > > */ > > int audit_set_containerid(struct task_struct *task, u64 containerid) > > { > > - u64 oldcontainerid; > > + u64 oldcontainerid = audit_get_containerid(task); > > int rc; > > - > > - oldcontainerid = audit_get_containerid(task); > > + struct net *net = task->nsproxy->net_ns; > > > > rc = audit_set_containerid_perm(task, containerid); > > if (!rc) { > > + if (cid_valid(oldcontainerid)) > > + net_del_audit_containerid(net, oldcontainerid); > > Using audit_net we can handle this internal to audit, which is a Good Thing. No problem, done. > > task_lock(task); > > task->containerid = containerid; > > task_unlock(task); > > + net_add_audit_containerid(net, containerid); > > Same. > > > } > > > > audit_log_set_containerid(task, oldcontainerid, containerid, rc); > > diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c > > index f6c5d33..d9f1090 100644 > > --- a/kernel/nsproxy.c > > +++ b/kernel/nsproxy.c > > @@ -140,6 +140,7 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk) > > struct nsproxy *old_ns = tsk->nsproxy; > > struct user_namespace *user_ns = task_cred_xxx(tsk, user_ns); > > struct nsproxy *new_ns; > > + u64 containerid = audit_get_containerid(tsk); > > > > if (likely(!(flags & (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC | > > CLONE_NEWPID | CLONE_NEWNET | > > @@ -167,6 +168,7 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk) > > return PTR_ERR(new_ns); > > > > tsk->nsproxy = new_ns; > > + net_add_audit_containerid(new_ns->net_ns, containerid); > > return 0; > > } > > Hopefully we can handle this in audit_net_init(), we just need to > figure out where we can get the correct task_struct for the audit > container ID (some backpointer in the net struct?). I don't follow. This needs to happen on every task startup. audit_net_init() is only called when a new network namespace starts up. > > @@ -217,6 +219,7 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags, > > void switch_task_namespaces(struct task_struct *p, struct nsproxy *new) > > { > > struct nsproxy *ns; > > + u64 containerid = audit_get_containerid(p); > > > > might_sleep(); > > > > @@ -224,6 +227,9 @@ void switch_task_namespaces(struct task_struct *p, struct nsproxy *new) > > ns = p->nsproxy; > > p->nsproxy = new; > > task_unlock(p); > > + net_del_audit_containerid(ns->net_ns, containerid); > > + if (new) > > + net_add_audit_containerid(new->net_ns, containerid); > > Okay, we might need a hook here for switching namespaces, but I would > much rather it be a generic audit hook that calls directly into audit. Trivial, done. > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635