Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1137083ybl; Thu, 23 Jan 2020 14:22:21 -0800 (PST) X-Google-Smtp-Source: APXvYqwYZu4gOlfupaxd+bEAjAHOUOGvftx2Ww3dvukeSBaC+aw26lk8e39364o/VyrJuXXD72cN X-Received: by 2002:a54:4f8d:: with SMTP id g13mr84019oiy.43.1579818141758; Thu, 23 Jan 2020 14:22:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579818141; cv=none; d=google.com; s=arc-20160816; b=dxNPug/Nb5BRvpy5Y74dpoPRcf5AJlFoIT8lmdu6JS4vR2+QkwPYCaDQF0byH87eDf NrB7ADPwuwU93T3mpSgbk1uVEKVxautqsa1HRB2OEYWl5akZBELLZUPxFCkt4Cb0huTH C743Qj9/ETr8LsYRGXUWTHPepX+z8OZbZ8FhhxC1BpW7R3KveF4qvCWu9zjUlqDcXUlL bwETOhIK27v3AeDCVhhX4abla07JtMVjSNh7QRzfnnw4+DC7iYlAazM/F3tOxDHiYKoE UH5redow0xIPhExPLKOklzkfJ57Rdlryrd+Blpu3/Ggmr0rdwLPpDRWh6Zk9esa+KAfa sA1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YhdQmzKcBNrdoLI54N+iRiz95hS2N5V9TEIVZsNwGUQ=; b=z6o1uo53+4jCM2d6ByRgLBFZPdnlMUHHT/eG43Xmuqlqdp5b2P+55v8LMAgICgF64O qfUYyMlkczMRb6y9JQ7sTId/0u9ONjFVZJ+VsMsUGFD9LGUs+a89MDyXUgE4t9dWkth2 L/xNMaFZ/lQnQiEzMKmjxEabDzpLOQkVIOoAM6rKXQU/MGV2O3i0aJo+H+yoxG420uNG fVAn6RXaXOSSrY5ikH5PzrmXMNTlryQEMO/jtqQlrZ8YiAX47rssbN8xW9M1DqIH9mSV 3oW5f1PHgQOG5nNUYix1zTyDIaRErVqwlBOPYf/ZI+PQGXGbTHrzcYC+DStf/gwmCIIG C4Lw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=zvNKYSbE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e1si876620otr.8.2020.01.23.14.22.09; Thu, 23 Jan 2020 14:22:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=zvNKYSbE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729199AbgAWVrw (ORCPT + 99 others); Thu, 23 Jan 2020 16:47:52 -0500 Received: from mail-lj1-f194.google.com ([209.85.208.194]:34411 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728931AbgAWVrw (ORCPT ); Thu, 23 Jan 2020 16:47:52 -0500 Received: by mail-lj1-f194.google.com with SMTP id z22so34941ljg.1 for ; Thu, 23 Jan 2020 13:47:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YhdQmzKcBNrdoLI54N+iRiz95hS2N5V9TEIVZsNwGUQ=; b=zvNKYSbEyhPQ3NLDHr7JObqj/IOu7umr2jteRknL+jllPcUiisljvVVxsdw8gofqQK djFVBpfpXx33ps/9HFrET+9LsNNf6IOgVO5Ct5mt8yuTvADQoze2He42TBidV7Za/Iwq VBXPOWZrBBAZzXzwaR382mYyF5nCrbeLgZNckklHJsSzIlPecfo+hjxfKH6pbXlHSAPF 53CdBCMcn+McG0AixIwVLmEANV4WY5a0Wb770ITfd/hdieQoZvbliSVbkfrt7UVpM15K LlmSSoir7uAu5IXp4zxnY6Hor3F2/BfeHrW0PFBhSJxd0bVbH0FXqfBUKkdNP4XX5tOU OCTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YhdQmzKcBNrdoLI54N+iRiz95hS2N5V9TEIVZsNwGUQ=; b=Uxz9fpxRv1+w0y1PU4EWtydQwSQD/HjCVMcdG4VF6kW7kAghxmbwqYlWWrA/qyfCaV P3Lxt9ND/GEIxV3XzwRDhFBhtKZGUIN9WtC+cZrhvkUcj6zhIa086ETOkh0xweogmaf6 bG/8bSGxppomRTprQJrmNRTY+GuGOqW1nxPfs/DaGi4+Zm/Iz2xq7pLi2Wj1/SZCyMdd v9RbWZVfuNmwn0bfh48x9Vw2a9KrDajNDr/Sb0lIi6q3EGRAt6nzBeEpiP3Oiliv+GzI T0bAkZrofdqkllJtNye1tP3rWCQYB7Ywl0unlseiofFfXIekgF/0BULRSgCGl1euV2Kj MeeQ== X-Gm-Message-State: APjAAAV8DU043D/ENBp+DnjiK/JVa2I+x/Ip6Ni3pgSTYRkuJd2HUF5h dsFhbZ8c2MG797NmzUBg9Zc7WpfvFXAElVQ71HvVjoHD1A== X-Received: by 2002:a05:651c:204f:: with SMTP id t15mr251303ljo.240.1579816069696; Thu, 23 Jan 2020 13:47:49 -0800 (PST) MIME-Version: 1.0 References: <20200123210240.sq64tptjm3ds7xss@madcap2.tricolour.ca> In-Reply-To: <20200123210240.sq64tptjm3ds7xss@madcap2.tricolour.ca> From: Paul Moore Date: Thu, 23 Jan 2020 16:47:38 -0500 Message-ID: Subject: Re: [PATCH ghak90 V8 12/16] audit: contid check descendancy and nesting To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 23, 2020 at 4:03 PM Richard Guy Briggs wrote: > On 2020-01-22 16:29, Paul Moore wrote: > > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > > > > > Require the target task to be a descendant of the container > > > orchestrator/engine. > > > > > > You would only change the audit container ID from one set or inherited > > > value to another if you were nesting containers. > > > > > > If changing the contid, the container orchestrator/engine must be a > > > descendant and not same orchestrator as the one that set it so it is not > > > possible to change the contid of another orchestrator's container. > > > > > > Since the task_is_descendant() function is used in YAMA and in audit, > > > remove the duplication and pull the function into kernel/core/sched.c > > > > > > Signed-off-by: Richard Guy Briggs > > > --- > > > include/linux/sched.h | 3 +++ > > > kernel/audit.c | 44 ++++++++++++++++++++++++++++++++++++-------- > > > kernel/sched/core.c | 33 +++++++++++++++++++++++++++++++++ > > > security/yama/yama_lsm.c | 33 --------------------------------- > > > 4 files changed, 72 insertions(+), 41 deletions(-) > > > > ... > > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > > index f7a8d3288ca0..ef8e07524c46 100644 > > > --- a/kernel/audit.c > > > +++ b/kernel/audit.c > > > @@ -2603,22 +2610,43 @@ int audit_set_contid(struct task_struct *task, u64 contid) > > > oldcontid = audit_get_contid(task); > > > read_lock(&tasklist_lock); > > > /* Don't allow the contid to be unset */ > > > - if (!audit_contid_valid(contid)) > > > + if (!audit_contid_valid(contid)) { > > > rc = -EINVAL; > > > + goto unlock; > > > + } > > > /* Don't allow the contid to be set to the same value again */ > > > - else if (contid == oldcontid) { > > > + if (contid == oldcontid) { > > > rc = -EADDRINUSE; > > > + goto unlock; > > > + } > > > /* if we don't have caps, reject */ > > > - else if (!capable(CAP_AUDIT_CONTROL)) > > > + if (!capable(CAP_AUDIT_CONTROL)) { > > > rc = -EPERM; > > > - /* if task has children or is not single-threaded, deny */ > > > - else if (!list_empty(&task->children)) > > > + goto unlock; > > > + } > > > + /* if task has children, deny */ > > > + if (!list_empty(&task->children)) { > > > rc = -EBUSY; > > > - else if (!(thread_group_leader(task) && thread_group_empty(task))) > > > + goto unlock; > > > + } > > > + /* if task is not single-threaded, deny */ > > > + if (!(thread_group_leader(task) && thread_group_empty(task))) { > > > rc = -EALREADY; > > > - /* if contid is already set, deny */ > > > - else if (audit_contid_set(task)) > > > + goto unlock; > > > + } > > > > It seems like the if/else-if conversion above should be part of an > > earlier patchset. > > I had considered that, but it wasn't obvious where that conversion > should happen since it wasn't necessary earlier and is now. I can move > it earlier if you feel strongly about it. Not particularly. -- paul moore www.paul-moore.com