Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3358433imm;
        Fri, 20 Jul 2018 15:17:14 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpe19fE7Yy7AnacTvqzF3KTuyMQsWVWG0tYXXMhhuWdYe/eJ3W1l5+4U03eCNlEI1VacWZWB
X-Received: by 2002:a63:e0b:: with SMTP id d11-v6mr3657603pgl.134.1532125034376;
        Fri, 20 Jul 2018 15:17:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532125034; cv=none;
        d=google.com; s=arc-20160816;
        b=px60Rax1JNI8dNcj65XpazoRLfK0unvw4d8riIJ7JN8EpW3LY3RLGs7XDexcO6WyaJ
         ZifI2IMQFARRmXH81kKFbvGJ1Nmqy9mxMZ0HIS4/I2vo8qi1u6ulQN+9H90TEwG7LkyD
         GIDVf0sGE7JaC0aojCZvEqXED5SjcGlDuQ2WCGwdsrIMZf8FIP2Vk5lmAg3k0l2B3Uyl
         Yiz6xYZVthAo4eLOr85BDj3CRzuH/vD4lQU2zrAauOJY+8nDMKxpLS1zuMArkAMD4g4P
         pNk4XuQ168t81NsX1gvdbpXREaHs2/+HLpp3RPe96pxN67JoRqSDReicpOI9jfEb+9UA
         6opA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=0MLZBzpWrUrYNKrZxF7gMNyThX+hu0dJmTCDQioJR8I=;
        b=CYOgIwVKHdFV6EGCh5hyhd+EIxYK++3A4oX3nPc9BJghWGrj/g63mI65qehIPF9muA
         W3YNwD6iqsu6JaDD2ldbEJIVueTpz5PiZ71rEQ3yi/uh15tzyLruaZ6GwzUxMCgBDG1E
         2HChJ6VQaxsrguVYYXmpcbJ0lLF9l+L1C3mhSv1wF9TUZPV3dSslVNa/fGK00bhUePgX
         jzjhYHvMm9qDMRSDglStP0IXK6o1A9/5bkBVjqZRgdjRKBLKupnruv0InbEeJ1ak5NKk
         NIMj1FQf5K2yPg0sBKtKVq/nQ7yi0m0qVY3fNihDnT6l90tJIbkSrNevZhhDwzKgqExb
         5xuQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="pKemrYz/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a9-v6si2815300pgm.581.2018.07.20.15.16.59;
        Fri, 20 Jul 2018 15:17:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="pKemrYz/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730010AbeGTXF2 (ORCPT <rfc822;chenl.lei@gmail.com> + 99 others);
        Fri, 20 Jul 2018 19:05:28 -0400
Received: from mail-lf1-f49.google.com ([209.85.167.49]:40990 "EHLO
        mail-lf1-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728730AbeGTXF1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 20 Jul 2018 19:05:27 -0400
Received: by mail-lf1-f49.google.com with SMTP id v22-v6so2748605lfe.8
        for <linux-kernel@vger.kernel.org>; Fri, 20 Jul 2018 15:15:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=0MLZBzpWrUrYNKrZxF7gMNyThX+hu0dJmTCDQioJR8I=;
        b=pKemrYz/UPzeh0AkRybI5i0VYI8+wB1JDOo5REeYEJ4nPXLDVJXa5U3b6oeyJkaFi/
         uPQFMK7VY/fAdD7xd4kkhNSdYxN5+MiPIHUAtNzrtIPD5GglgjzEFQbxvbdY6Oq24DJC
         fYGOuGiujm7U7FC5wd1F3JBj67ro5+WHtKUmPZrDmEs+BFutz87CoB4ODUeV2FZUH6A9
         0wSSBg98vVMNJJUCgcPFNpDLLVY23VG8JZcmX3pvMw5bIZutxmAVGwCbialpuXzinaBJ
         cCIDilhZwmvJ2VG3Ir+A3yNU/H0AFcQ5b5vrZExl38ek0480+rQHVutlJdLdwpggazGM
         yv4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=0MLZBzpWrUrYNKrZxF7gMNyThX+hu0dJmTCDQioJR8I=;
        b=UTE7hkY9UyegUoHe8gLlRZvgPsFahpE7p9AZlsr9xe6zCa7IWi4TXh5808QzGzKfcR
         MyJ9Q+DxjIhLZ6rcM3wNHsdd+nm8jkbDgAMIE98tfN43hozUH43zHGKtnSWAkp6obX5r
         R/eCYu3BW2L4vQFAH4xYXn8v49Ho+JEgdFD7RgVMhLN9/yoJJCTR0lG08QTmCFEVGk5S
         GLWI4D1e6ZJOTCysp0i33GLql52oLbtaURAypTAFRUX3SVvaIEuVUroXD/DJDkn3jEqN
         kF2zjJVamMg1BV/416BEKQoFdx6QRMU4qZ1lZK3uL6xwZZqOOnNgK+HXg4AFifD5HEBC
         vnUg==
X-Gm-Message-State: AOUpUlFTqspJ6ka9DeUSJNSzdcEA00u1wxHBBlUJNWNa6iaZ8ytYBSj6
        fc6L6Gfn6DU0NykDNUghs/DkPBu1KzJRX4erMVT9
X-Received: by 2002:a19:c403:: with SMTP id u3-v6mr2274290lff.87.1532124912009;
 Fri, 20 Jul 2018 15:15:12 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1528304203.git.rgb@redhat.com> <c6b64f6540e2e531636142ced36d51f0744d0e1f.1528304204.git.rgb@redhat.com>
In-Reply-To: <c6b64f6540e2e531636142ced36d51f0744d0e1f.1528304204.git.rgb@redhat.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Fri, 20 Jul 2018 18:15:00 -0400
Message-ID: <CAHC9VhQCxdOzcYHFtJ8eTLkNQxwvdAnuLOEguqHT_zU4V9d0OA@mail.gmail.com>
Subject: Re: [RFC PATCH ghak90 (was ghak32) V3 08/10] audit: NETFILTER_PKT:
 record each container ID associated with a netNS
To:     rgb@redhat.com
Cc:     cgroups@vger.kernel.org, containers@lists.linux-foundation.org,
        linux-api@vger.kernel.org, linux-audit@redhat.com,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, ebiederm@xmission.com, luto@kernel.org,
        jlayton@redhat.com, carlos@redhat.com, dhowells@redhat.com,
        viro@zeniv.linux.org.uk, simo@redhat.com,
        Eric Paris <eparis@parisplace.org>, serge@hallyn.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jun 6, 2018 at 1:03 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> Add audit container identifier auxiliary record(s) to NETFILTER_PKT
> event standalone records.  Iterate through all potential audit container
> identifiers associated with a network namespace.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  include/linux/audit.h    |  5 +++++
>  kernel/audit.c           | 20 +++++++++++++++++++-
>  kernel/auditsc.c         |  2 ++
>  net/netfilter/xt_AUDIT.c | 12 ++++++++++--
>  4 files changed, 36 insertions(+), 3 deletions(-)

...

> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 7e2e51c..4560a4e 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -167,6 +167,8 @@ extern int audit_log_contid(struct audit_context *context,
>  extern void audit_contid_add(struct net *net, u64 contid);
>  extern void audit_contid_del(struct net *net, u64 contid);
>  extern void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p);
> +extern void audit_log_contid_list(struct net *net,
> +                                struct audit_context *context);

See my comment in previous patches about changing the function name to
better indicate it's dedicate use for network namespaces.

>  extern int                 audit_update_lsm_rules(void);
>
> @@ -231,6 +233,9 @@ static inline void audit_contid_del(struct net *net, u64 contid)
>  { }
>  static inline void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p)
>  { }
> +static inline void audit_log_contid_list(struct net *net,
> +                                       struct audit_context *context)
> +{ }
>
>  #define audit_enabled 0
>  #endif /* CONFIG_AUDIT */
> diff --git a/kernel/audit.c b/kernel/audit.c
> index ecd2de4..8cca41a 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -382,6 +382,20 @@ void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p)
>                 audit_contid_add(new->net_ns, contid);
>  }
>
> +void audit_log_contid_list(struct net *net, struct audit_context *context)
> +{
> +       struct audit_contid *cont;
> +       int i = 0;
> +
> +       list_for_each_entry(cont, audit_get_contid_list(net), list) {
> +               char buf[14];
> +
> +               sprintf(buf, "net%u", i++);
> +               audit_log_contid(context, buf, cont->id);

Hmm.  It looks like this will generate multiple audit container ID
records with "op=netX contid=Y" (X=netns number, Y=audit container
ID), is that what we want?  I've mentioned my concern around the "op"
values in these records earlier in the patchset, that still applies
here, but now I'm also concerned about the multiple records.  I'm
thinking we might be better served with a single record with either
multiple "contid" fields, or a single "contid" field with a set of
comma separated values (or some other delimiter that Steve's tools
will tolerate).

Steve, thoughts?

> +       }
> +}
> +EXPORT_SYMBOL(audit_log_contid_list);
> +
>  void audit_panic(const char *message)
>  {
>         switch (audit_failure) {
> @@ -2132,17 +2146,21 @@ int audit_log_contid(struct audit_context *context,
>                               char *op, u64 contid)
>  {
>         struct audit_buffer *ab;
> +       gfp_t gfpflags;
>
>         if (!cid_valid(contid))
>                 return 0;
> +       /* We can be called in atomic context via audit_tg() */
> +       gfpflags = (in_atomic() || irqs_disabled()) ? GFP_ATOMIC : GFP_KERNEL;

See my previous comments in the earlier patches about guessing at
gfpflags; let's just add a gfpflags parameter to audit_log_contid().

>         /* Generate AUDIT_CONTAINER record with container ID */
> -       ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER);
> +       ab = audit_log_start(context, gfpflags, AUDIT_CONTAINER);
>         if (!ab)
>                 return -ENOMEM;
>         audit_log_format(ab, "op=%s contid=%llu", op, contid);
>         audit_log_end(ab);
>         return 0;
>  }
> +EXPORT_SYMBOL(audit_log_contid);

Move the EXPORT_SYMBOL() to earlier in the patchset when you first
define audit_log_contid().

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 6ab5e5e..e2a16d2 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1015,6 +1015,7 @@ struct audit_context *audit_alloc_local(void)
>         context->in_syscall = 1;
>         return context;
>  }
> +EXPORT_SYMBOL(audit_alloc_local);

Same as above.

>  void audit_free_context(struct audit_context *context)
>  {
> @@ -1029,6 +1030,7 @@ void audit_free_context(struct audit_context *context)
>         audit_proctitle_free(context);
>         kfree(context);
>  }
> +EXPORT_SYMBOL(audit_free_context);

Same.

>  static int audit_log_pid_context(struct audit_context *context, pid_t pid,
>                                  kuid_t auid, kuid_t uid, unsigned int sessionid,
> diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> index f368ee6..10d2707 100644
> --- a/net/netfilter/xt_AUDIT.c
> +++ b/net/netfilter/xt_AUDIT.c
> @@ -71,10 +71,13 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
>  {
>         struct audit_buffer *ab;
>         int fam = -1;
> +       struct audit_context *context;
> +       struct net *net;
>
>         if (audit_enabled == 0)
> -               goto errout;
> -       ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> +               goto out;
> +       context = audit_alloc_local();
> +       ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
>         if (ab == NULL)
>                 goto errout;
>
> @@ -104,7 +107,12 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
>
>         audit_log_end(ab);
>
> +       net = xt_net(par);
> +       audit_log_contid_list(net, context);
> +
>  errout:
> +       audit_free_context(context);
> +out:
>         return XT_CONTINUE;
>  }
>
> --
> 1.8.3.1
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



--
paul moore
www.paul-moore.com