Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp262463ybp; Thu, 10 Oct 2019 17:44:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqycaDmi7h+PNevY8iFTZgNzTlJkW62YWVAOxyEQorBSQMXpuHgwQ5Y/ymCZEUmgAz1Xbngd X-Received: by 2002:a05:6402:1804:: with SMTP id g4mr11010162edy.266.1570754673801; Thu, 10 Oct 2019 17:44:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570754673; cv=none; d=google.com; s=arc-20160816; b=UR/n2mA9ug9qew5EygtszrLwkc4yu7O6CWA2l4+TTsHcHEqF4Nb3E7FIOCRJNbTQ5K U+/Zkad4E9KKdc3nhuh+6kKCxQLxUKyS22tBfEZ8HchX7qAhQMXTXBHnGdn9S0pHtB1Q JLcxNiAkmt9XEXENEZt7miNmytXcU/7rrMij9iZw6rtaG3c95TKFBvOhrc+7VfWh8f7v LWyjeQu0znxH32AWz25V0MQ9OeS+lxLXni4iZOh8jtQwhQHRa6KCT4jnZjJa/HHaubY8 6X/b5hvPT5nVfNTeP0SQ1adFxFfIRAV7hNHqWOKLXkbjdPJ7/aSsS34OSH1qUtvFpK8x 0eAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=9wNy6JFK5djKAuZbuRMlDS+XyW8tF2WH1HB98CJhwX4=; b=bZHb681cUyFgEpQ+/rzPhO64u0MyPWD8H46GO+9eh7TRKFc4UsbrvNts+obbklLn43 C0FpHw3JF6o2chADWXvLFVyJOiUxZfFYreUm11Nhs3VDvb8U/q/n+GLERbujpIqg1RkM Z1/tunX0MhZjcb+qM4fUTwVhW8B8Fl6PtjOJ+sWOGeAj4nd+H5HKXPiyiXVTPt2dxnGo oEg+PX73AvtMs6MfZeCdd4OjVxEuX2lD0U2pS5NgmmacNK0GYLpp17JNSwVjaK2Q26rZ L5zqfRZg51YW4yUwPKZJdROa5jMmt0QedhV8ULNRiOgIYehh7NyzkJtqEeh5JTIbBrcN 62VQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Ebgr6hpe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u17si3936788edy.145.2019.10.10.17.44.10; Thu, 10 Oct 2019 17:44:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Ebgr6hpe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728104AbfJKAlO (ORCPT + 99 others); Thu, 10 Oct 2019 20:41:14 -0400 Received: from mail-lj1-f196.google.com ([209.85.208.196]:35309 "EHLO mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727704AbfJKAlN (ORCPT ); Thu, 10 Oct 2019 20:41:13 -0400 Received: by mail-lj1-f196.google.com with SMTP id m7so8076400lji.2 for ; Thu, 10 Oct 2019 17:41:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9wNy6JFK5djKAuZbuRMlDS+XyW8tF2WH1HB98CJhwX4=; b=Ebgr6hpepFByF0DkP5utDnq8dgpXwryts91lmQkxebHKHDitPBleV83coxn3yI9W2o 4bjKmKWCPPjMPhL8Nq/Rdml5kvyzOdaMmxDE1iIeADKjQ4B3ePZan8TAafgqsmoQqDBo DPSQq0Dom4ILIzKaOPRAGB6iBjZKCOwLqRUsFj6Doy+Ihf3ofxWf6aVnflJ+uXxgpKYc bbkJw50tNvEfHUPIhBMY1Zh/pD7QtrHNUoMxcmVpT5dFWXFUE49Oh+2y3HcTvrkmCGKi d1cVCQqj7IfTxrHF88A0gj3Twf8bqPV2nRUrW6tYaMCpO+AnG3VtKUhbnJoR6lVbp5wI hqMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9wNy6JFK5djKAuZbuRMlDS+XyW8tF2WH1HB98CJhwX4=; b=lrKgB1S0n7LpZiMCOP417KtNK0DSMwZ+gUalwO5X6w5oYbjozl1HlIu0b3AsFAAltW 8Y/mymvtj0pc8+Y7WGGyDKvqauEH4GILqEkMcu4WYUj3hc4yB/oC/A+1r9RKEi6azgiM T+hF2QR7h8NriPrQOnHwYNxv5VaaqlWhEQMjPtwuHacPmfpeM+Rm7UAlWGVv2LSoHbfF jMBuEY7pRHgr8yNihNi0YLpoEHwMUWQdkw3yldQVt1MyiNRcg4cqkiDUcsFQqSzQdpbB 7HYKiG+q6cZCP1GkddLKDI9G6x5APc80unuQo0UpBHyDFrlQuczq7klJC10wRd7e39jt pgrA== X-Gm-Message-State: APjAAAX0mVg39+3imrfuQrkpCX9EWjKApbzXtLbenbqkMl2m7WcF2afl NX5eXaFcYQVA1H+Kie3lXs7OLp7EIak4B2vujw/h X-Received: by 2002:a2e:b17b:: with SMTP id a27mr7770213ljm.243.1570754469730; Thu, 10 Oct 2019 17:41:09 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Thu, 10 Oct 2019 20:40:58 -0400 Message-ID: Subject: Re: [PATCH ghak90 V7 18/21] audit: track container nesting To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 18, 2019 at 9:27 PM Richard Guy Briggs wrote: > Track the parent container of a container to be able to filter and > report nesting. > > Now that we have a way to track and check the parent container of a > container, fixup other patches, or squash all nesting fixes together. > > fixup! audit: add container id > fixup! audit: log drop of contid on exit of last task > fixup! audit: log container info of syscalls > fixup! audit: add containerid filtering > fixup! audit: NETFILTER_PKT: record each container ID associated with a netNS > fixup! audit: convert to contid list to check for orch/engine ownership softirq (for netfilter) audit: protect contid list lock from softirq > > Signed-off-by: Richard Guy Briggs > --- > include/linux/audit.h | 1 + > kernel/audit.c | 67 ++++++++++++++++++++++++++++++++++++++++++--------- > kernel/audit.h | 3 +++ > kernel/auditfilter.c | 20 ++++++++++++++- > kernel/auditsc.c | 2 +- > 5 files changed, 79 insertions(+), 14 deletions(-) This is my last comment of the patchset because this is where it starts to get a little weird. I know we've talked about fixup! patches some in the past, but perhaps I didn't do a very good job communicating my poin; let me try again. Submitting a fixup patch is okay if you've already posted a (lengthy) patchset and there was a small nit that someone uncovered that needed to be fixed prior to merging, assuming everyone (this includes the reviewer, the patch author, and the maintainer) is okay with the author posting the fix as fixup! patch then go for it. Done this way, fixup patches can save a lot of development, testing, and review time. However, in my opinion it is wrong to submit a patchset that has fixup patches as part of the original posting. In this case fixup patches have the opposite effect: the patchset becomes more complicated, reviews take longer, and the likelihood of missing important details increases. When in doubt, don't submit separate fixup patches, fold them into the original patches instead. -- paul moore www.paul-moore.com