Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp6489935imd; Wed, 31 Oct 2018 12:31:41 -0700 (PDT) X-Google-Smtp-Source: AJdET5dzHgqmZdRaLEzRO8Zq7ZWUNwEbkN769il3Z5sSGy3b8KZFLzCwEPKVWKcX/JavW46QdyZp X-Received: by 2002:a63:5747:: with SMTP id h7-v6mr4382941pgm.423.1541014300991; Wed, 31 Oct 2018 12:31:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541014300; cv=none; d=google.com; s=arc-20160816; b=tBhkjv9JQK7lnNCabpwDDIQRT9Fo3YR/c4yGVuMpusR5XWK4pm8jZIAIyZwwORPMX5 5JqtFHUarAR4Liu1TdS+2I8J9fI8BSRiT3vE2aTp6Y/CZKmfSqaJkxCCGcwKIzUAeZe6 4DIr/eO43syoFAOQKwLnS//A/tdcfViyE+oifO2FLV6VDnIcERW0QQFhugXzBLKSEvyH OUEpFNQw86Bp5ciQeDsJgtZDyXyF9YJuBTEw6OuETyy6K1e3aIo7ttiuGMVhnyWLDeHx i5cheQODUcHB+YZnoLDEpJBmaF83KeBVXoMyHDuzlQCpdOtW4t9P38oj7RV3OFgu3CES LqnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ngGxW8wv3kGrZ8/oysIt5tPuBnKtRqXUg0TIYZHzBwc=; b=Y1VefDIChePxluRKtp3N+dg9GNt/LXdzdLk22VO/dDmExVwLUZgm3QToQf8Xx0vGXn 1F/ja01VKuDzzIM/fHe+TdtHtnFPMmd/8lR6AHM8/DKWmNQM6uWqn/7C86S75cFEEBf2 F6Go1egNvSy7A/rcQu7aOwZft1RlQlkZ6EnvDvqPuxnh83/Rrb7O4IoxtH/n58Tm0Xu8 4oUxint1bx1yAXzwfYCas2/bRyaznSogAoXHQ94JXeFWoUc2vNQNyr/fUGhCVW2HkOMK CFk2pBaSwsW6O/s1cMU+heva7bsuNvkcQHcpCUAbLE6d9J4nLcgmoZ4D8VAJRkmNFjTi SU0w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z11-v6si28035820pgf.66.2018.10.31.12.31.26; Wed, 31 Oct 2018 12:31:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726327AbeKAEaY (ORCPT + 99 others); Thu, 1 Nov 2018 00:30:24 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53248 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725806AbeKAEaY (ORCPT ); Thu, 1 Nov 2018 00:30:24 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D0506C02832D; Wed, 31 Oct 2018 19:30:57 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-24.phx2.redhat.com [10.3.112.24]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5CF81600C0; Wed, 31 Oct 2018 19:30:21 +0000 (UTC) Date: Wed, 31 Oct 2018 15:30:18 -0400 From: Richard Guy Briggs To: Paul Moore Cc: containers@lists.linux-foundation.org, linux-audit@redhat.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, ebiederm@xmission.com, luto@kernel.org, carlos@redhat.com, dhowells@redhat.com, viro@zeniv.linux.org.uk, simo@redhat.com, Eric Paris , Serge Hallyn Subject: Re: [PATCH ghak90 (was ghak32) V4 09/10] audit: NETFILTER_PKT: record each container ID associated with a netNS Message-ID: <20181031193018.67pxaxzxlbdc4lkd@madcap2.tricolour.ca> References: <3f5edfb0d530d7f0061fe11b817b315b350b9d86.1533065887.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Wed, 31 Oct 2018 19:30:58 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-10-19 19:18, Paul Moore wrote: > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs wrote: > > Add audit container identifier auxiliary record(s) to NETFILTER_PKT > > event standalone records. Iterate through all potential audit container > > identifiers associated with a network namespace. > > > > Signed-off-by: Richard Guy Briggs > > --- > > include/linux/audit.h | 5 +++++ > > kernel/audit.c | 26 ++++++++++++++++++++++++++ > > net/netfilter/xt_AUDIT.c | 12 ++++++++++-- > > 3 files changed, 41 insertions(+), 2 deletions(-) > > ... > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 9a02095..8755f4d 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -169,6 +169,8 @@ extern int audit_log_contid(struct audit_context *context, > > extern void audit_netns_contid_add(struct net *net, u64 contid); > > extern void audit_netns_contid_del(struct net *net, u64 contid); > > extern void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p); > > +extern void audit_log_netns_contid_list(struct net *net, > > + struct audit_context *context); > > > > extern int audit_update_lsm_rules(void); > > > > @@ -228,6 +230,9 @@ static inline void audit_netns_contid_del(struct net *net, u64 contid) > > { } > > static inline void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) > > { } > > +static inline void audit_log_netns_contid_list(struct net *net, > > + struct audit_context *context) > > +{ } > > > > #define audit_enabled AUDIT_OFF > > #endif /* CONFIG_AUDIT */ > > diff --git a/kernel/audit.c b/kernel/audit.c > > index c5fed3b..b23711c 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -392,6 +392,32 @@ void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) > > audit_netns_contid_add(new->net_ns, contid); > > } > > > > +void audit_log_netns_contid_list(struct net *net, struct audit_context *context) > > +{ > > + spinlock_t *lock = audit_get_netns_contid_list_lock(net); > > + struct audit_buffer *ab; > > + struct audit_contid *cont; > > + bool first = true; > > + > > + /* Generate AUDIT_CONTAINER record with container ID CSV list */ > > + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_CONTAINER); > > + if (!ab) { > > + audit_log_lost("out of memory in audit_log_netns_contid_list"); > > + return; > > + } > > + audit_log_format(ab, "contid="); > > + spin_lock(lock); > > + list_for_each_entry(cont, audit_get_netns_contid_list(net), list) { > > + if (!first) > > + audit_log_format(ab, ","); > > + audit_log_format(ab, "%llu", cont->id); > > + first = false; > > + } > > + spin_unlock(lock); > > This is looking like potentially a lot of work to be doing under a > spinlock, not to mention a single spinlock that is shared across CPUs. > Considering that I expect changes to the list to be somewhat > infrequent, this might be a good candidate for a RCU based locking > scheme. Would something like this look reasonable? (This is on top of a patch to make contid list lock and unlock functions.) diff --git a/include/linux/audit.h b/include/linux/audit.h index be5d6eb..9428fc3 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -92,6 +92,7 @@ struct audit_contid { struct list_head list; u64 id; refcount_t refcount; + struct rcu_head rcu; }; extern int is_audit_feature_set(int which); diff --git a/kernel/audit.c b/kernel/audit.c index d5b58163..6f84c25 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -106,7 +106,6 @@ struct audit_net { struct sock *sk; struct list_head contid_list; - spinlock_t contid_list_lock; }; /** @@ -327,26 +326,6 @@ struct list_head *audit_get_netns_contid_list(const struct net *net) return &aunet->contid_list; } -static int audit_netns_contid_lock(const struct net *net) -{ - struct audit_net *aunet = net_generic(net, audit_net_id); - - if (!aunet) - return -EINVAL; - spin_lock(aunet->contid_list_lock); - return 0; -} - -static int audit_netns_contid_unlock(const struct net *net) -{ - struct audit_net *aunet = net_generic(net, audit_net_id); - - if (!aunet) - return -EINVAL; - spin_unlock(aunet->contid_list_lock); - return 0; -} - void audit_netns_contid_add(struct net *net, u64 contid) { struct list_head *contid_list = audit_get_netns_contid_list(net); @@ -354,10 +333,9 @@ void audit_netns_contid_add(struct net *net, u64 contid) if (!audit_contid_valid(contid)) return; - if (audit_netns_contid_lock(net)) - return; + rcu_read_lock(); if (!list_empty(contid_list)) - list_for_each_entry(cont, contid_list, list) + list_for_each_entry_rcu(cont, contid_list, list) if (cont->id == contid) { refcount_inc(&cont->refcount); goto out; @@ -367,10 +345,16 @@ void audit_netns_contid_add(struct net *net, u64 contid) INIT_LIST_HEAD(&cont->list); cont->id = contid; refcount_set(&cont->refcount, 1); - list_add(&cont->list, contid_list); + list_add_rcu(&cont->list, contid_list); } out: - audit_netns_contid_unlock(net); + rcu_read_unlock(); +} + +audit_free_contid_rcu(struct rcu_head *head) { + struct audit_contid *contid = container_of(head, struct audit_contid, rcu); + + kfree(contid); } void audit_netns_contid_del(struct net *net, u64 contid) @@ -380,17 +364,16 @@ void audit_netns_contid_del(struct net *net, u64 contid) if (!audit_contid_valid(contid)) return; - if (audit_netns_contid_lock(net)) - return; + rcu_read_lock(); if (!list_empty(contid_list)) - list_for_each_entry(cont, contid_list, list) + list_for_each_entry_rcu(cont, contid_list, list) if (cont->id == contid) { - list_del(&cont->list); + list_del_rcu(&cont->list); if (refcount_dec_and_test(&cont->refcount)) - kfree(cont); + call_rcu(&cont->rcu, audit_free_contid_rcu); break; } - audit_netns_contid_unlock(net); + rcu_read_unlock(); } void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) @@ -418,15 +401,14 @@ void audit_log_netns_contid_list(struct net *net, struct audit_context *context) return; } audit_log_format(ab, "ref=net contid="); - if (audit_netns_contid_lock(net)) - return; - list_for_each_entry(cont, audit_get_netns_contid_list(net), list) { + rcu_read_lock(); + list_for_each_entry_rcu(cont, audit_get_netns_contid_list(net), list) { if (!first) audit_log_format(ab, ","); audit_log_format(ab, "%llu", cont->id); first = false; } - audit_netns_contid_unlock(net); + rcu_read_unlock(); audit_log_end(ab); } EXPORT_SYMBOL(audit_log_netns_contid_list); @@ -1674,7 +1656,6 @@ static int __net_init audit_net_init(struct net *net) .flags = NL_CFG_F_NONROOT_RECV, .groups = AUDIT_NLGRP_MAX, }; - struct audit_net *aunet = net_generic(net, audit_net_id); aunet->sk = netlink_kernel_create(net, NETLINK_AUDIT, &cfg); @@ -1684,8 +1665,6 @@ static int __net_init audit_net_init(struct net *net) } aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT; INIT_LIST_HEAD(&aunet->contid_list); - spin_lock_init(&aunet->contid_list_lock); - return 0; } > > > + audit_log_end(ab); > > +} > > +EXPORT_SYMBOL(audit_log_netns_contid_list); > > > > void audit_panic(const char *message) > > { > > switch (audit_failure) { > > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c > > index af883f1..44fac3f 100644 > > --- a/net/netfilter/xt_AUDIT.c > > +++ b/net/netfilter/xt_AUDIT.c > > @@ -71,10 +71,13 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) > > { > > struct audit_buffer *ab; > > int fam = -1; > > + struct audit_context *context; > > + struct net *net; > > > > if (audit_enabled == AUDIT_OFF) > > - goto errout; > > - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > > + goto out; > > + context = audit_alloc_local(GFP_ATOMIC); > > + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > > if (ab == NULL) > > goto errout; > > > > @@ -104,7 +107,12 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) > > > > audit_log_end(ab); > > > > + net = xt_net(par); > > + audit_log_netns_contid_list(net, context); > > + > > errout: > > + audit_free_context(context); > > +out: > > return XT_CONTINUE; > > } > > > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635