Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp260024ybp; Thu, 10 Oct 2019 17:41:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqw35SNbczBxy2Yq0rQaovEaUYJA9z2wT3oKHHJ4yndLccLlzHwBWvMhKO5D7UYzO7wtox/Z X-Received: by 2002:aa7:c301:: with SMTP id l1mr10848126edq.281.1570754495240; Thu, 10 Oct 2019 17:41:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570754495; cv=none; d=google.com; s=arc-20160816; b=K+cHSGoCNGFeKwtYaea/YkyW1dn9Dz1gLAMOdbosJjegFM2w4G7UfYakoGwZXkkz8N KzCsLswjLWtL6zyzKunja27iz1CUw+K0BHAnRFaCK7qZvj5mboIeTIFX8FjRyKPOPPfH GBgYFj2byrYELWT80B2fS1gVm9N5yAlmkYojsTmmXQkadghbgv196rt7dzqP26CHAIJu cVQl+VaVQPFCCdmhAlKHBPPyKKXMV/PSJj2Scgs/dxW4zry5/qjN0Byk9EjWGfzDu9AM KxcQreQRONpM90nlHUpdR1Cd3v7ess1+zv7NE5Z0edGMxufZulGQDgjfHvHDAC8Nhv+W 7Mtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=WruOl9m8rjj6B/eISV7ZrAuuDk2P1Av0bY+CVqaL58Q=; b=hj2jo1IfPUGimKVs6DJgWp8iyTw/N1da9x4jFqsclkSzLRMZa/56mUjB1b7TRL0I0T Yho+xQTa66U4QqmIzXRRsXAAGxYIJzQbUMKDsg3ZAmB9kRFI1SQnrMAorHEjIXA1YS0j 0GROd1m2kDwkXh9mAX/IYXXlqJ+tU222QNLik4uvBqiSj5cMaJ7S9jdXDUfi/ikzn2vT JAnMkvG/eNwPnRarqaT2GBWOwUfGZH/DyQd0Vt+K9pbrKFmlFosjsSYy/uvy9p1OLPao GPKre+gbeZpOKmot7jgewiJj7p+UgoBfy2mRdLREyJM7JML7zG34IULQiQjXAsHu/EFo wUsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=V4Xxbr0U; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z6si4037109edx.139.2019.10.10.17.41.11; Thu, 10 Oct 2019 17:41:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=V4Xxbr0U; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728022AbfJKAkR (ORCPT + 99 others); Thu, 10 Oct 2019 20:40:17 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:43450 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728005AbfJKAkQ (ORCPT ); Thu, 10 Oct 2019 20:40:16 -0400 Received: by mail-lf1-f67.google.com with SMTP id u3so5722444lfl.10 for ; Thu, 10 Oct 2019 17:40:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WruOl9m8rjj6B/eISV7ZrAuuDk2P1Av0bY+CVqaL58Q=; b=V4Xxbr0U3eWT6U16YQ3PdgJXfFSijS5xRPN5nuMN6zDdNiLlA8dHWQaXw0Yzr3J0GG jRh9YIrZ+DWce+KF5cgww4hLWK47rxojTThwR/zgSvMLAFygAJZkWRqj2iX38L3KwI8a 8I1WdUsdx/j6CuBhFGYvw5LMxUP/iOf/nOVB405Wnz4NBTkrngUoYzEwv5G2EC8sUbzW 8umuXVw1jEwxdYwwQY1tM0o6fLNk5h+gKKD1b6UGgzKcpmc1HiwzfF7qiFKwl/7qqXWI JgymE+NEGRdwv29QW/erS6VgnlAN5h0RSuumHCtPnB4wHvJox9JrE8jqfIDTC0rUqT73 QlDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WruOl9m8rjj6B/eISV7ZrAuuDk2P1Av0bY+CVqaL58Q=; b=HGy8xUiGElZDU3IrEu1GmZpiHla/OZIlh4A/thr4cnQE3ls8kKv4Yi76H1Er68HF5V YPM9jPWENHbSOtfIrF/45HigdI3+d+mZs48Ti7TrphyehwIV0W11GusRcv5Svp32gXW3 NqNua2OVxS6H1wC8ky03MiXsY3lvn1SinSXDJWbKt56ZrOvoDoruCY0jZLwGbgebvNDr eZlLbz+PCLPdhjMdz7BRRKQ39Etr99KTZ8mRCIPHJGUkJXepWEFOnGFTBdcbXWWEbY0m T3kGpYEmdFk4py0dMltO5w1dl8SL8VeefW2aNjNQGtkIuNfVSQAhBmN6xl8RvBYZTJdV TAoQ== X-Gm-Message-State: APjAAAWjk6XXGkVn4NeKIaWyj5dYvo9B7BGxeXwHnusvB5V+h3l5S36B oXgNl1iI4ogjZrie5zEbFbhjrjvD1Bepe8AcjENl X-Received: by 2002:ac2:51b6:: with SMTP id f22mr7273869lfk.175.1570754414142; Thu, 10 Oct 2019 17:40:14 -0700 (PDT) MIME-Version: 1.0 References: <16abf1b2aafeb5f1b8dae20b9a4836e54f959ca5.1568834524.git.rgb@redhat.com> In-Reply-To: <16abf1b2aafeb5f1b8dae20b9a4836e54f959ca5.1568834524.git.rgb@redhat.com> From: Paul Moore Date: Thu, 10 Oct 2019 20:40:03 -0400 Message-ID: Subject: Re: [PATCH ghak90 V7 14/21] audit: contid check descendancy and nesting To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 18, 2019 at 9:26 PM Richard Guy Briggs wrote: > ?fixup! audit: convert to contid list to check for orch/engine ownership ? > Require the target task to be a descendant of the container > orchestrator/engine. > > You would only change the audit container ID from one set or inherited > value to another if you were nesting containers. > > If changing the contid, the container orchestrator/engine must be a > descendant and not same orchestrator as the one that set it so it is not > possible to change the contid of another orchestrator's container. Did you mean to say that the container orchestrator must be an ancestor of the target, and the same orchestrator as the one that set the target process' audit container ID? Or maybe I'm missing something about what you are trying to do? > Signed-off-by: Richard Guy Briggs > --- > kernel/audit.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++------- > 1 file changed, 62 insertions(+), 8 deletions(-) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 9ce7a1ec7a92..69fe1e9af7cb 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2560,6 +2560,39 @@ static struct task_struct *audit_cont_owner(struct task_struct *tsk) > } > > /* > + * task_is_descendant - walk up a process family tree looking for a match > + * @parent: the process to compare against while walking up from child > + * @child: the process to start from while looking upwards for parent > + * > + * Returns 1 if child is a descendant of parent, 0 if not. > + */ > +static int task_is_descendant(struct task_struct *parent, > + struct task_struct *child) > +{ > + int rc = 0; > + struct task_struct *walker = child; > + > + if (!parent || !child) > + return 0; > + > + rcu_read_lock(); > + if (!thread_group_leader(parent)) > + parent = rcu_dereference(parent->group_leader); > + while (walker->pid > 0) { > + if (!thread_group_leader(walker)) > + walker = rcu_dereference(walker->group_leader); > + if (walker == parent) { > + rc = 1; > + break; > + } > + walker = rcu_dereference(walker->real_parent); > + } > + rcu_read_unlock(); > + > + return rc; > +} > + > +/* > * audit_set_contid - set current task's audit contid > * @task: target task > * @contid: contid value > @@ -2587,22 +2620,43 @@ int audit_set_contid(struct task_struct *task, u64 contid) > oldcontid = audit_get_contid(task); > read_lock(&tasklist_lock); > /* Don't allow the contid to be unset */ > - if (!audit_contid_valid(contid)) > + if (!audit_contid_valid(contid)) { > rc = -EINVAL; > + goto unlock; > + } > /* Don't allow the contid to be set to the same value again */ > - else if (contid == oldcontid) { > + if (contid == oldcontid) { > rc = -EADDRINUSE; > + goto unlock; > + } > /* if we don't have caps, reject */ > - else if (!capable(CAP_AUDIT_CONTROL)) > + if (!capable(CAP_AUDIT_CONTROL)) { > rc = -EPERM; > - /* if task has children or is not single-threaded, deny */ > - else if (!list_empty(&task->children)) > + goto unlock; > + } > + /* if task has children, deny */ > + if (!list_empty(&task->children)) { > rc = -EBUSY; > - else if (!(thread_group_leader(task) && thread_group_empty(task))) > + goto unlock; > + } > + /* if task is not single-threaded, deny */ > + if (!(thread_group_leader(task) && thread_group_empty(task))) { > rc = -EALREADY; > - /* if contid is already set, deny */ > - else if (audit_contid_set(task)) > + goto unlock; > + } > + /* if task is not descendant, block */ > + if (task == current) { > + rc = -EBADSLT; > + goto unlock; > + } > + if (!task_is_descendant(current, task)) { > + rc = -EXDEV; > + goto unlock; > + } > + /* only allow contid setting again if nesting */ > + if (audit_contid_set(task) && current == audit_cont_owner(task)) > rc = -ECHILD; > +unlock: > read_unlock(&tasklist_lock); > if (!rc) { > struct audit_cont *oldcont = audit_cont(task); -- paul moore www.paul-moore.com