Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp5265146ybl; Wed, 22 Jan 2020 13:30:58 -0800 (PST) X-Google-Smtp-Source: APXvYqxyTrb10/v9T0BCnLKgu5SGXHz+6cJJminx7vH2a+bDUBUjLvIqIWVK/epWDfd3CcUZtVvm X-Received: by 2002:a54:4396:: with SMTP id u22mr8515715oiv.128.1579728658314; Wed, 22 Jan 2020 13:30:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579728658; cv=none; d=google.com; s=arc-20160816; b=eXjLluYrVJ3phN1eqtDCApngEOvKZ/oFbfxxdWDjN7JPoDLMbhm7KdWLs+qQPcGcG1 0G0mi0rbv1HmEmnekIOYWcgL0YRihypJXqAM0ELkcjmG1FoMERy2tzl5Yj6SpJ5iQzA0 ZyCxnBDpzHrbx4B4Ti/bRX84ZPQND5oDUc1hwZu1dguDUWnM/0P4Coq/7Lpvoplv+i73 7+OPzQ4D7AHfQmv48s+efthrdU7Wg68MAkfGrbLsmBtDjFn1AU1dcZR2m3CgQGiLmOuF yaeiN7Y0jJiWBejmLp2/w3HkyoEOYNhsEfr9MJwZYbipoXV/2vvP3I6LuQM9DYJoalZK ODiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=0IWzoSHaF7JN7KzmRnEKXue37+ElHpTL6tvjAuEiiiE=; b=yRI2aKwYaWErzxjvI4RwV108nYUC3qkH8js6QXnf3VdkWmueuO7c2V7ke50fPa94Vv 2I6uwZHOfIgRDJqKl4nStBcYLr0Rqgjhhup73wUUuKDusb47zagJnYKMhKF5ZoIXUykU /Xe+OUo8Rzsfcn/6gqk2CAiUb3UgjCbZAv83++3q6oQzfdjwD/2q8S1zdD5EfkwWrZEu 1b6LHBvTzYeN9ZbjxYA9nrn4WQ7rnCY+IwNG1F0f33U8E/uQwld5kpLmGhu/TTMlli5J iJj3uOW/Rm/OOi//XOwGNPijZivsemhzZiKbY9fF2R/NsRAr+5TKmBmsNLc1DknJtmMU /Ocg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=vdbmKD+y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j16si21374049oii.57.2020.01.22.13.30.46; Wed, 22 Jan 2020 13:30:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=vdbmKD+y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729352AbgAVV3U (ORCPT + 99 others); Wed, 22 Jan 2020 16:29:20 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:44233 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729308AbgAVV3T (ORCPT ); Wed, 22 Jan 2020 16:29:19 -0500 Received: by mail-lj1-f195.google.com with SMTP id q8so680553ljj.11 for ; Wed, 22 Jan 2020 13:29:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0IWzoSHaF7JN7KzmRnEKXue37+ElHpTL6tvjAuEiiiE=; b=vdbmKD+yNje7jhxOhco/lhYmf+3Q1q+XjGe74FJCrmQXQ5t6WJS+kdh6i9Krkm3ZTB zeqWO82x5b2dbahES4hr2RG0xoDgGanxYKm5yUIzlxfqnQXUOlyeGElCDg9Y2F956m+q 7kLbk3H8VsgEX4YrYWvAKFyp0xFcpC5Fr974FOn9rnivaLGIufkBpu/uJeqfZEuV1WFE eABuXY7Ss5Si7RevcqYhdcQvJRfuH38hsWHMgIpSxxvws5XSUZZim12h+5uAeW2p966k 3WcllzOlzMcPtleAH4Pm/M/kBtjWAsBD+u3/IbIpQgJo0Ocqw42SsFkzXbUoEtD7rVvM CRlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0IWzoSHaF7JN7KzmRnEKXue37+ElHpTL6tvjAuEiiiE=; b=KpR0Aein2TzjHNtO96xWjh2toWkFLOu2JpuA188vsj+szTDIO3tbySTv1goWnppCPC L5kTHe0f06jgvSbr/0EZqkBlk3axov8ITbrYyD0F7YhnEQbPHGB43EP03nSdQv8X0kur 3hlJgwGFqDngJIDxtxr/lW1MbU59rci2Af9a7M4iDgRdOghQTiiGc5QJ//0XZoQbb83N 3G8LI4tGTLoWZAUSZYiWiwwYN+ap8Ir4BjVivJM9DMrhTWtcn+1u7jmY41qKOaugCoEx 5DUl5bQScS+JjiuakcYsM/0ubzl0/mc7YC/reUSPIBX/Sn0d1KIr5lpV/GY7fOpssgxe PP1A== X-Gm-Message-State: APjAAAV7vGN8MJKbx7urAL10OJ4vTCtsVcLsb4zaIfcnyh74KElHq2GT uK2sBW/k9Mrwj8e9XjufxR1SrpUWAmytVmBVNdqA X-Received: by 2002:a2e:5357:: with SMTP id t23mr21086243ljd.227.1579728556739; Wed, 22 Jan 2020 13:29:16 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Wed, 22 Jan 2020 16:29:05 -0500 Message-ID: Subject: Re: [PATCH ghak90 V8 12/16] audit: contid check descendancy and nesting To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > Require the target task to be a descendant of the container > orchestrator/engine. > > You would only change the audit container ID from one set or inherited > value to another if you were nesting containers. > > If changing the contid, the container orchestrator/engine must be a > descendant and not same orchestrator as the one that set it so it is not > possible to change the contid of another orchestrator's container. > > Since the task_is_descendant() function is used in YAMA and in audit, > remove the duplication and pull the function into kernel/core/sched.c > > Signed-off-by: Richard Guy Briggs > --- > include/linux/sched.h | 3 +++ > kernel/audit.c | 44 ++++++++++++++++++++++++++++++++++++-------- > kernel/sched/core.c | 33 +++++++++++++++++++++++++++++++++ > security/yama/yama_lsm.c | 33 --------------------------------- > 4 files changed, 72 insertions(+), 41 deletions(-) ... > diff --git a/kernel/audit.c b/kernel/audit.c > index f7a8d3288ca0..ef8e07524c46 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2603,22 +2610,43 @@ int audit_set_contid(struct task_struct *task, u64 contid) > oldcontid = audit_get_contid(task); > read_lock(&tasklist_lock); > /* Don't allow the contid to be unset */ > - if (!audit_contid_valid(contid)) > + if (!audit_contid_valid(contid)) { > rc = -EINVAL; > + goto unlock; > + } > /* Don't allow the contid to be set to the same value again */ > - else if (contid == oldcontid) { > + if (contid == oldcontid) { > rc = -EADDRINUSE; > + goto unlock; > + } > /* if we don't have caps, reject */ > - else if (!capable(CAP_AUDIT_CONTROL)) > + if (!capable(CAP_AUDIT_CONTROL)) { > rc = -EPERM; > - /* if task has children or is not single-threaded, deny */ > - else if (!list_empty(&task->children)) > + goto unlock; > + } > + /* if task has children, deny */ > + if (!list_empty(&task->children)) { > rc = -EBUSY; > - else if (!(thread_group_leader(task) && thread_group_empty(task))) > + goto unlock; > + } > + /* if task is not single-threaded, deny */ > + if (!(thread_group_leader(task) && thread_group_empty(task))) { > rc = -EALREADY; > - /* if contid is already set, deny */ > - else if (audit_contid_set(task)) > + goto unlock; > + } It seems like the if/else-if conversion above should be part of an earlier patchset. > + /* if task is not descendant, block */ > + if (task == current) { > + rc = -EBADSLT; > + goto unlock; > + } > + if (!task_is_descendant(current, task)) { > + rc = -EXDEV; > + goto unlock; > + } I understand you are trying to provide a unique error code for each failure case, but this is getting silly. Let's group the descendent checks under the same error code. > + /* only allow contid setting again if nesting */ > + if (audit_contid_set(task) && audit_contid_isowner(task)) > rc = -ECHILD; Should that be "!audit_contid_isowner()"? -- paul moore www.paul-moore.com