Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp2866263ybx; Fri, 8 Nov 2019 10:27:36 -0800 (PST) X-Google-Smtp-Source: APXvYqweebQAI/3rRHfXZ4QdoGmJbuhEALQmgaUgKkiQrTBLMzLbVEZkuN7b4bwqR7pMhYrgduIS X-Received: by 2002:a17:906:a28d:: with SMTP id i13mr9902762ejz.288.1573237656414; Fri, 08 Nov 2019 10:27:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573237656; cv=none; d=google.com; s=arc-20160816; b=ooBmIpuc2gAhLuj/jWjCxnzeOwAeJNnEZQDCbFWZdsAFLEifRZhYhTV2XMOceOt5aF Lmu0RcHu7stVfxcpB5XpAoc2YJHkEXHyCbUuNnTlRX6uqz1B1m1Zq2V5KVXqtPH0z7aU SWjou59EBEh2IRw1hAO0M/Ec3VjWSl1mnU2wPde7iMPFRI+aCIZDiPtZJooKJ98iLwBB 8WLBhKrwHv/Rte5qM76hccB7QpSPvFzHb9pRNP8dUfZUrH6S3fy66QuG+mzVgzh4eriO fddKAf7jVyNjXV13DmONT6flKVRCMMD/S1Ul/vw45bpQuHnKCmpAJQSPfuKCfa16HlSp f1ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=yfrqk4oAZSRdxNXU7NWHV3s/qknksusoqMId/97+bh8=; b=yAQ8i1VYHYPptJr290qt05STJzmBeAI3bkYAvg426F8MhodfwV46C1+So/akgXvbED 597gojgXCfITcdDVon6Z94y9T2VxptIAB7R6pzOqkcf6Nj0Xmg1OYUndI+44pXwO5KGT D2W/Z6B4ILiNeoMTsq5OUZRR4rG3OEp/lRStVYh8F7U0q/afu9YAhSV48pwuFRoK7YOO QlJ+oFNX3PyDdImLtHCesUoS2Ss18yLcEJfczzz78toIaF0vs2vq0S85sXt78ZhWAv7K EuumM3IWTVmv7yOMiijELdqbIwGFbKNwbBLaS510b2sRvzsJBKiK+HlNnO5L2NjwF3QC 91RA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=y1K0awVa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d13si4969028edu.135.2019.11.08.10.27.08; Fri, 08 Nov 2019 10:27:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=y1K0awVa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728265AbfKHS0d (ORCPT + 99 others); Fri, 8 Nov 2019 13:26:33 -0500 Received: from mail-lj1-f194.google.com ([209.85.208.194]:36045 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726446AbfKHS0c (ORCPT ); Fri, 8 Nov 2019 13:26:32 -0500 Received: by mail-lj1-f194.google.com with SMTP id k15so7238769lja.3 for ; Fri, 08 Nov 2019 10:26:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yfrqk4oAZSRdxNXU7NWHV3s/qknksusoqMId/97+bh8=; b=y1K0awVaPkO46sJakcQS8uKieCdS/hCTRRGdp7q5Dcku0FUI40wj7F+zld2UORzEbf t8YG8QSWNop4/suFu+5p6OBsjDlLmTswYjH/3bLUmv9AcOoVfZDeOxZjGeOYnoTXA6HQ J8aMPm2axVmOGDf5xSwuijEvUOv5sKpFh9JUyrH0Kqx/t6feWNf2IUF+xYaJPauhde4n IuGvkCufzn9sVUy4WXyW1gLblbgYB8D+aexe4RpGSB9pg3OV5iGRR2py7xDoNKIYBlIc PZTrGRMZIlhMNrWif9jD4E8iCrXApMODQRFEsPi4vx5MLLJacWWpJdjOsLxXzD9bVAd1 r26w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yfrqk4oAZSRdxNXU7NWHV3s/qknksusoqMId/97+bh8=; b=CcOc0Auex5iJ3yRThKYTIWKWGgWaixF52Em6yCdWJYueHfupzIng5PxmjW6HnTq9rG mkVVDWLMDOESoiVxCtrmebl9V60LGQWv+JhKJw8Ob30IUlSgZjOHYG9Py6S/x9WuGWMO Ah97iqIZ2qvf/sqW2xJiypiIyDct9aBTbvEKQ/ttF7dgismKahdWWfDVTjvvpmCSS6RF IV/DSWp3pZF6Y6ahh1kme333ujwg7bsbK9l0hK89kDaDh4EoHbJEbba/JqPO5ooCT81o SoGQB9fXypna3pmQR2YY9eprBNV7a1yZ4Zl+YK0kQDdI5vvsxkJe/2yUwfTBagr2hMr5 fdUw== X-Gm-Message-State: APjAAAXspR6HfVf2UujGKycM76Sordi0grT2dTUXqHORCnsZ2deSmjIa kjya5TCyMVWqN0kKoT0xQ3snsFiDUNySiRWNyBkpcUg= X-Received: by 2002:a2e:85d5:: with SMTP id h21mr7824291ljj.243.1573237589836; Fri, 08 Nov 2019 10:26:29 -0800 (PST) MIME-Version: 1.0 References: <6fb4e270bfafef3d0477a06b0365fdcc5a5305b5.1568834524.git.rgb@redhat.com> <20191025210004.jzkenjg6jrka22ak@madcap2.tricolour.ca> In-Reply-To: <20191025210004.jzkenjg6jrka22ak@madcap2.tricolour.ca> From: Paul Moore Date: Fri, 8 Nov 2019 13:26:18 -0500 Message-ID: Subject: Re: [PATCH ghak90 V7 04/21] audit: convert to contid list to check for orch/engine ownership To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 25, 2019 at 5:00 PM Richard Guy Briggs wrote: > On 2019-10-10 20:38, Paul Moore wrote: > > On Wed, Sep 18, 2019 at 9:24 PM Richard Guy Briggs wrote: > > > Store the audit container identifier in a refcounted kernel object that > > > is added to the master list of audit container identifiers. This will > > > allow multiple container orchestrators/engines to work on the same > > > machine without danger of inadvertantly re-using an existing identifier. > > > It will also allow an orchestrator to inject a process into an existing > > > container by checking if the original container owner is the one > > > injecting the task. A hash table list is used to optimize searches. > > > > > > Signed-off-by: Richard Guy Briggs > > > --- > > > include/linux/audit.h | 26 ++++++++++++++-- > > > kernel/audit.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++--- > > > kernel/audit.h | 8 +++++ > > > 3 files changed, 112 insertions(+), 8 deletions(-) > > > > One general comment before we go off into the weeds on this ... I can > > understand why you wanted to keep this patch separate from the earlier > > patches, but as we get closer to having mergeable code this should get > > folded into the previous patches. For example, there shouldn't be a > > change in audit_task_info where you change the contid field from a u64 > > to struct pointer, it should be a struct pointer from the start. > > I should have marked this patchset as RFC even though it was v7 due to a > lot of new ideas/code that was added with uncertainties needing comment > and direction. > > > It's also disappointing that idr appears to only be for 32-bit ID > > values, if we had a 64-bit idr I think we could simplify this greatly. > > Perhaps. I do still see value in letting the orchestrator choose the > value. Agreed. I was just thinking out loud that it seems like much of what we need could be a generic library mechanism similar to, but not quite like, the existing idr code. > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > > index f2e3b81f2942..e317807cdd3e 100644 > > > --- a/include/linux/audit.h > > > +++ b/include/linux/audit.h > > > @@ -95,10 +95,18 @@ struct audit_ntp_data { > > > struct audit_ntp_data {}; > > > #endif > > > > > > +struct audit_cont { > > > + struct list_head list; > > > + u64 id; > > > + struct task_struct *owner; > > > + refcount_t refcount; > > > + struct rcu_head rcu; > > > +}; > > > > It seems as though in most of the code you are using "contid", any > > reason why didn't stick with that naming scheme here, e.g. "struct > > audit_contid"? > > I was using contid to refer to the value itself and cont to refer to the > refcounted object. I find cont a bit too terse, so I'm still thinking > of changing it. Perhaps contobj? Yes, just "cont" is a bit too ambiguous considering we have both integer values and structures being passed around. Whatever you decide on, a common base with separate suffixes seems like a good idea. FWIW, I still think the "audit container ID" : "ACID" thing is kinda funny ;) > > > @@ -203,11 +211,15 @@ static inline unsigned int audit_get_sessionid(struct task_struct *tsk) > > > > > > static inline u64 audit_get_contid(struct task_struct *tsk) > > > { > > > - if (!tsk->audit) > > > + if (!tsk->audit || !tsk->audit->cont) > > > return AUDIT_CID_UNSET; > > > - return tsk->audit->contid; > > > + return tsk->audit->cont->id; > > > } > > > > Assuming for a moment that we implement an audit_contid_get() (see > > Neil's comment as well as mine below), we probably need to name this > > something different so we don't all lose our minds when we read this > > code. On the plus side we can probably preface it with an underscore > > since it is a static, in which case _audit_contid_get() might be okay, > > but I'm open to suggestions. > > I'm fine with the "_" prefix, can you point to precedent or convention? Generally kernel functions which are "special"/private/unsafe/etc. have a one, or two, underscore prefix. If you don't want to add the prefix, that's fine, but please change the name as mentioned previously. > > > @@ -231,7 +235,9 @@ int audit_alloc(struct task_struct *tsk) > > > } > > > info->loginuid = audit_get_loginuid(current); > > > info->sessionid = audit_get_sessionid(current); > > > - info->contid = audit_get_contid(current); > > > + info->cont = audit_cont(current); > > > + if (info->cont) > > > + refcount_inc(&info->cont->refcount); > > > > See the other comments about a "get" function, but I think we need a > > RCU read lock around the above, no? > > The rcu read lock is to protect the list rather than the cont object > itself, the latter of which is protected by its refcount. What protects you from info->cont going away between when you fetch the pointer via audit_cont() to when you dereference it in refcount_inc()? > > > @@ -2397,8 +2438,43 @@ int audit_set_contid(struct task_struct *task, u64 contid) > > > else if (audit_contid_set(task)) > > > rc = -ECHILD; > > > read_unlock(&tasklist_lock); > > > - if (!rc) > > > - task->audit->contid = contid; > > > + if (!rc) { > > > + struct audit_cont *oldcont = audit_cont(task); > > > > Previously we held the tasklist_lock to protect the audit container ID > > associated with the struct, should we still be holding it here? > > We held the tasklist_lock to protect access to the target task's > child/parent/thread relationships. What protects us in the case of simultaneous calls to audit_set_contid()? > > Regardless, I worry that the lock dependencies between the > > tasklist_lock and the audit_contid_list_lock are going to be tricky. > > It might be nice to document the relationship in a comment up near > > where you declare audit_contid_list_lock. > > I don't think there should be a conflict between the two. > > The contid_list_lock doesn't care if the cont object is associated to a > particular task. Please document the relationship between the two, I worry we could easily run into lockdep problems without a clearly defined ordering. > > > + struct audit_cont *cont = NULL; > > > + struct audit_cont *newcont = NULL; > > > + int h = audit_hash_contid(contid); > > > + > > > + spin_lock(&audit_contid_list_lock); > > > + list_for_each_entry_rcu(cont, &audit_contid_hash[h], list) > > > + if (cont->id == contid) { > > > + /* task injection to existing container */ > > > + if (current == cont->owner) { > > > > I understand the desire to limit a given audit container ID to the > > orchestrator that created it, but are we certain that we can track > > audit container ID "ownership" via a single instance of a task_struct? > > Are you suggesting that a task_struct representing a task may be > replaced for a specific task? I don't believe that will ever happen. > > > What happens when the orchestrator stops/restarts/crashes? Do we > > even care? > > Reap all of its containers? These were genuine questions, I'm not suggesting anything in particular, I'm just curious about how we handle an orchestrator that isn't continuously running ... is this possible? Do we care? -- paul moore www.paul-moore.com