Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1498874yba; Tue, 2 Apr 2019 09:58:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqyhaZ0J/25BLfWVt+TRy+Ws5nwi3W//VvYPV5dQ2WNQcsdkc7XjkqPzJ7lVqBTqkxagtCQE X-Received: by 2002:a17:902:7d81:: with SMTP id a1mr64570996plm.202.1554224317540; Tue, 02 Apr 2019 09:58:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554224317; cv=none; d=google.com; s=arc-20160816; b=D/N9o6Kw+o1D6ik/dZDwTVCFopaZlvNoD1ugMKntuqU5AbxZ6kh8eKzKCLr28Qol0q D1vhDiV6IhX9dURCK0Rnnf1Ow1EU+4BnnnYWsSuH6FHR3gJyAO0IVUW5iqL0ZvPNnn/I hZNSE4hzBuxRdPECPokj22MOZ+O4wofcIdu40qFaGR5Fa83cfbjZXYn156rbDnV80Ukf YqoytkarlireY+g2EZuHa3mDIXpRdvyPT41M6o9RsBIa2f14KMI1G4gFr9LouIY/f2yR JeUMFIzIvJcgQKalDzbum7W3Zl+gQo+XKuQ29kspecCVns5mscaP3HsFjHX+67RcmLzB Q7Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=6w4zuMPiFqfMyhrm85/gCLe5OpX4LYxMIVRhZmqm0cA=; b=IehpXc/2SEIiokojoyvDpkreH+n41F3Y7hiRoMGUYoDupMtXDZCKwjTViDwO8SVflu yTzf1dzn88DouhmjEqD2pu+713jz13e/OA5Gk4fPWGv4RT4Ru2grShuPZoV/ax7q9TVT d1ZjjcNcFIMa9BTkjS5xNQIxPsYjbzaDsfqebkZqoLMt+/DTl1A73NmB2Gl3YiXRq72S OIR5M5RrAWTWC4EimGK4KhRGZyOZb+vKXUICku6voHantpkaE/PLPIk9JASsrxz8uuim +aU4reMNTl1J0RgtdMOmMb8vOM3pOy5G7sPyBC9pS/UxRjew2OdoUOSqp9QDhKpUh2+s q94A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 136si11740101pfc.170.2019.04.02.09.58.22; Tue, 02 Apr 2019 09:58:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731100AbfDBO3T (ORCPT + 99 others); Tue, 2 Apr 2019 10:29:19 -0400 Received: from charlotte.tuxdriver.com ([70.61.120.58]:55506 "EHLO smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725778AbfDBO3S (ORCPT ); Tue, 2 Apr 2019 10:29:18 -0400 Received: from cpe-2606-a000-111b-405a-9816-2c85-c514-8f7a.dyn6.twc.com ([2606:a000:111b:405a:9816:2c85:c514:8f7a] helo=localhost) by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1hBKPT-0005ya-LZ; Tue, 02 Apr 2019 10:29:10 -0400 Date: Tue, 2 Apr 2019 10:28:39 -0400 From: Neil Horman To: Paul Moore Cc: Richard Guy Briggs , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com Subject: Re: [PATCH ghak90 V5 09/10] audit: add support for containerid to network namespaces Message-ID: <20190402142839.GC17593@hmswarspite.think-freely.org> References: <27473c84a274c64871cfa8e3636deaf05603c978.1552665316.git.rgb@redhat.com> <20190402113150.GA17593@hmswarspite.think-freely.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) X-Spam-Score: -2.9 (--) X-Spam-Status: No Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 02, 2019 at 09:31:49AM -0400, Paul Moore wrote: > On Tue, Apr 2, 2019 at 7:32 AM Neil Horman wrote: > > On Mon, Apr 01, 2019 at 10:50:03AM -0400, Paul Moore wrote: > > > On Fri, Mar 15, 2019 at 2:35 PM Richard Guy Briggs wrote: > > > > Audit events could happen in a network namespace outside of a task > > > > context due to packets received from the net that trigger an auditing > > > > rule prior to being associated with a running task. The network > > > > namespace could be in use by multiple containers by association to the > > > > tasks in that network namespace. We still want a way to attribute > > > > these events to any potential containers. Keep a list per network > > > > namespace to track these audit container identifiiers. > > > > > > > > Add/increment the audit container identifier on: > > > > - initial setting of the audit container identifier via /proc > > > > - clone/fork call that inherits an audit container identifier > > > > - unshare call that inherits an audit container identifier > > > > - setns call that inherits an audit container identifier > > > > Delete/decrement the audit container identifier on: > > > > - an inherited audit container identifier dropped when child set > > > > - process exit > > > > - unshare call that drops a net namespace > > > > - setns call that drops a net namespace > > > > > > > > See: https://github.com/linux-audit/audit-kernel/issues/92 > > > > See: https://github.com/linux-audit/audit-testsuite/issues/64 > > > > See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > > > > Signed-off-by: Richard Guy Briggs > > > > --- > > > > include/linux/audit.h | 19 ++++++++++++ > > > > kernel/audit.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++-- > > > > kernel/nsproxy.c | 4 +++ > > > > 3 files changed, 106 insertions(+), 3 deletions(-) > > > > > > ... > > > > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > > > index cf448599ef34..7fa3194f5342 100644 > > > > --- a/kernel/audit.c > > > > +++ b/kernel/audit.c > > > > @@ -72,6 +72,7 @@ > > > > #include > > > > #include > > > > #include > > > > +#include > > > > > > > > #include "audit.h" > > > > > > > > @@ -99,9 +100,13 @@ > > > > /** > > > > * struct audit_net - audit private network namespace data > > > > * @sk: communication socket > > > > + * @contid_list: audit container identifier list > > > > + * @contid_list_lock audit container identifier list lock > > > > */ > > > > struct audit_net { > > > > struct sock *sk; > > > > + struct list_head contid_list; > > > > + spinlock_t contid_list_lock; > > > > }; > > > > > > > > /** > > > > @@ -275,8 +280,11 @@ struct audit_task_info init_struct_audit = { > > > > void audit_free(struct task_struct *tsk) > > > > { > > > > struct audit_task_info *info = tsk->audit; > > > > + struct nsproxy *ns = tsk->nsproxy; > > > > > > > > audit_free_syscall(tsk); > > > > + if (ns) > > > > + audit_netns_contid_del(ns->net_ns, audit_get_contid(tsk)); > > > > /* Freeing the audit_task_info struct must be performed after > > > > * audit_log_exit() due to need for loginuid and sessionid. > > > > */ > > > > @@ -376,6 +384,73 @@ static struct sock *audit_get_sk(const struct net *net) > > > > return aunet->sk; > > > > } > > > > > > > > +void audit_netns_contid_add(struct net *net, u64 contid) > > > > +{ > > > > + struct audit_net *aunet = net_generic(net, audit_net_id); > > > > + struct list_head *contid_list = &aunet->contid_list; > > > > + struct audit_contid *cont; > > > > + > > > > + if (!audit_contid_valid(contid)) > > > > + return; > > > > + if (!aunet) > > > > + return; > > > > > > We should move the contid_list assignment below this check, or decide > > > that aunet is always going to valid (?) and get rid of this check > > > completely. > > > > > I'm not sure why that would be needed. Finding the net_id list is an operation > > of a map relating net namespaces to lists, not contids to lists. We could do > > it, sure, but since they're unrelated operations, I don't think we experience > > any slowdowns from doing it this way. > > In the first line of the function, when aunet is declared, it is also > assigned a value using net_generic(): > > struct audit_net *aunet = net_generic(net, audit_net_id); > > Later in the function there is check to see if aunet is NULL, yet on > the second line of the function (before the NULL check), there is this > line of code: > > struct list_head *contid_list = &aunet->contid_list; > > ... which could result in the dereference of a NULL pointer if aunet > is NULL. My suggestion was either to move this assignment below the > aunet-NULL check or decide that aunet was always going to be valid > (e.g. non-NULL) and do away with the aunet-NULL check completely. > Richard has since replied that the aunet-NULL check has been > demonstrated to be necessary so the proper thing to do would be to > move the assignment. I believe that is what Richard is planning on > doing. > oh, I'm sorry, you're right, I was looking at the contid tests not the list tests. Neil > > > > + if (cont) { > > > > + INIT_LIST_HEAD(&cont->list); > > > > > > Unless there is some guidance that INIT_LIST_HEAD() should be used > > > regardless, you shouldn't need to call this here since list_add_rcu() > > > will take care of any list.h related initialization. > > > > There is a corner case that needs it. list_add_rcu has a check that gets > > called, __list_add_valid. Its a noop in the regular case, but if > > CONFIG_DEBUG_LIST is defined, its a check to ensure that the next and prev > > pointers getting passed in aren't set to detectable corrupt values. If we pass > > in garbage, we can get transient false positives on that check, so we need to > > set the list pointers to known good values before hand, either by using kzalloc, > > or INIT_LIST_HEAD, as has been done here. Given that we expressly set every > > field of this structure, I think this is the right approach, as it uses the list > > macro to expressly set the list values to their proper state. > > Good to know, thanks. > > -- > paul moore > www.paul-moore.com >