Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp361235yba; Mon, 1 Apr 2019 07:51:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqx3p7Wke+elubCYrdxJ6VF/FZQAkAhqvxiMn84bQiEUKcbWaGvFlQH3zbxAEaKX64nWm35z X-Received: by 2002:a17:902:4381:: with SMTP id j1mr32186522pld.75.1554130313632; Mon, 01 Apr 2019 07:51:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554130313; cv=none; d=google.com; s=arc-20160816; b=f29C9XsFaP/mmoJFSAYvMEn1CLiq3es8ATD9EDicp5XXn5TOwcZB0eUSXxrjh075cz 0DXqXVGDDq7Uy19lacONWNOMT+fFTI39VrGnB5h283yFGihyVl2P1Cb6/jWolJ4qJ98r rnZ+/oxIHwdaX4wlZj7tlGNgkiibufQIwXB8SP2DBqa+NjalHDb7mIjw2Dl209yuPAQS iO4FosXmnOqoBYajm6X8BGM+tQ7AMGCrsR5sB6sM8MVPaS2oeUtd6WoxceTEw0PNJ6bQ pkpScFyQTGbyqBJRJol/QWlbvI0SRm6ev6qdJNpvNw+OzMu47gPttqi3NjqgLdncr5Ty KBsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=F4fiz+REIk+4P/IuLXa3dMzfEJ9FOhjUzzuCqicW/i4=; b=Q9lzTEnLiCYOt84yDR8s+71H54dZk/mF8OX9lqsQz8LjJDHRTQ1bAeVCP2gTEw7jze 5VgcDhOhDWaEGGfp3L8LekP17omlxjaLYmNJWBrvJate5+BA71HKZ7UYHO5R1T0AQD5b kIl1LJ30rXY9F6z86K88q2SppLMLqVz21XDRDDt4ePQc4y1Sw7NloO+cw1Zqtwb6+62/ R/4HWYQNKlVEvYgsnIkFWRnvYfOxwB8sLkt4Bs/Z/E5wxQP7/vBx2Hr512/QGn1OjtQ0 hLlZiKABOYiL8yQmscr5qqBYX5+j6cRx9cHleuIFbaRbRxPOz8I3gsMn1A1tC/YbH5yW IwCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=KLO26Izz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z12si5119586pln.248.2019.04.01.07.51.37; Mon, 01 Apr 2019 07:51:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=KLO26Izz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728706AbfDAOu1 (ORCPT + 99 others); Mon, 1 Apr 2019 10:50:27 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:45164 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728684AbfDAOuY (ORCPT ); Mon, 1 Apr 2019 10:50:24 -0400 Received: by mail-lf1-f65.google.com with SMTP id 5so6485498lft.12 for ; Mon, 01 Apr 2019 07:50:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F4fiz+REIk+4P/IuLXa3dMzfEJ9FOhjUzzuCqicW/i4=; b=KLO26IzzCHrHLWIIWEtJHs3ptBi1V63skFbqWeHdha5vN3ccQsPVlMk/eoDHMt0ZoJ n/8ANSJ4DBRRr26WhFRmV2RjtU67G/n3qseg14omb2vULab+YP0KmvmiNJJDRgXQr4pC jSc74eq4X+xrfxrBIKIdCDiRRWPPmnQFZXDS2Fwrz/x9Sxp8RCb2B6SMk2kQWXIqNVgV NkkE3LuFmFHSGKdNO3y3RYM3CLUa2sA+cP5Op54PVV1su2MI3idoB8nGAhyL/siWBJBl sSE9CQsGhZiYkgtM37jCS5AHx+ghfFxxoasq29cTjggVux0MnrXy/hA367bzn7nx6rto dwwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F4fiz+REIk+4P/IuLXa3dMzfEJ9FOhjUzzuCqicW/i4=; b=dGs/V1d2owyV7jA/McXPeWsq2t9VRHEdvoWbrL6Q6vQrNIwZRcgdUfo+mUQCNIWRpw uAYbWQOl4kL3kXhY1W5/s3yquBllm3fpRlfC+YFZC3C/hlyvoxP6s/Ot4p84jDhNqGWy mKylFBk7eX29DfYoc7a9QQQKtecy/Kl/RHgnQa4xnNw2dkgkUbaqWtug5faB4lJXi/IR KEpEdC5ZtKCTNjMh1m9NcKJzYC8Drxph6NGmFSu/jllS2SQDCkXU2tzU/WUs2S41h1Xs ATB+cZGV34pfix3Xd7POokRAmdn1Feg58tT0zmSGbJSB0CErssJsDnZ3F74VCuA7BJng Lt5A== X-Gm-Message-State: APjAAAUtdKAFifuFihr8Jx2wHyPkRzrLl/oyhG+GV3zHXu6QKcFngGPH kvljTnvuAbIc7FlycknG7buCAJt7UPTxVjMJTDmR X-Received: by 2002:a19:7613:: with SMTP id c19mr31904156lff.105.1554130222709; Mon, 01 Apr 2019 07:50:22 -0700 (PDT) MIME-Version: 1.0 References: <56127b2a5b82f15cb0d0f040502c2e3bb6945f30.1552665316.git.rgb@redhat.com> In-Reply-To: <56127b2a5b82f15cb0d0f040502c2e3bb6945f30.1552665316.git.rgb@redhat.com> From: Paul Moore Date: Mon, 1 Apr 2019 10:50:11 -0400 Message-ID: Subject: Re: [PATCH ghak90 V5 10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 15, 2019 at 2:35 PM Richard Guy Briggs wrote: > Add audit container identifier auxiliary record(s) to NETFILTER_PKT > event standalone records. Iterate through all potential audit container > identifiers associated with a network namespace. > > Signed-off-by: Richard Guy Briggs > --- > include/linux/audit.h | 5 +++++ > kernel/audit.c | 41 +++++++++++++++++++++++++++++++++++++++++ > net/netfilter/nft_log.c | 11 +++++++++-- > net/netfilter/xt_AUDIT.c | 11 +++++++++-- > 4 files changed, 64 insertions(+), 4 deletions(-) ... > diff --git a/kernel/audit.c b/kernel/audit.c > index 7fa3194f5342..80ed323feeb5 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -451,6 +451,47 @@ void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) > audit_netns_contid_add(new->net_ns, contid); > } > > +/** > + * audit_log_netns_contid_list - List contids for the given network namespace > + * @net: the network namespace of interest > + * @context: the audit context to use > + * > + * Description: > + * Issues a CONTAINER_ID record with a CSV list of contids associated > + * with a network namespace to accompany a NETFILTER_PKT record. > + */ > +void audit_log_netns_contid_list(struct net *net, struct audit_context *context) > +{ > + struct audit_buffer *ab = NULL; > + struct audit_contid *cont; > + bool first = true; > + struct audit_net *aunet; > + > + /* Generate AUDIT_CONTAINER_ID record with container ID CSV list */ > + rcu_read_lock(); > + aunet = net_generic(net, audit_net_id); > + if (!aunet) > + goto out; > + list_for_each_entry_rcu(cont, &aunet->contid_list, list) { > + if (first) { This is borderline nit-picky, but it seems like we could get rid of "first" and just check to see if "ab" is still NULL. > + ab = audit_log_start(context, GFP_ATOMIC, > + AUDIT_CONTAINER_ID); > + if (!ab) { > + audit_log_lost("out of memory in audit_log_netns_contid_list"); > + goto out; > + } > + audit_log_format(ab, "contid="); > + } else > + audit_log_format(ab, ","); > + audit_log_format(ab, "%llu", cont->id); > + first = false; > + } > + audit_log_end(ab); > +out: > + rcu_read_unlock(); > +} > +EXPORT_SYMBOL(audit_log_netns_contid_list); -- paul moore www.paul-moore.com