Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp27784ybv; Tue, 4 Feb 2020 15:45:25 -0800 (PST) X-Google-Smtp-Source: APXvYqyfxI9rJKH6heY1I6QUCZ2lWpGKfnHNRJeKtMmfobXwiH4IzzekisjpU2S7wIDgecOAiZsh X-Received: by 2002:a54:4e96:: with SMTP id c22mr1115308oiy.110.1580859925149; Tue, 04 Feb 2020 15:45:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580859925; cv=none; d=google.com; s=arc-20160816; b=kTtJPJ2dhCI9Ln+sM5nMhskQO2kkjLWa6hdOziODiqgw3uFLC3GauikPvaysWOqLJy FqXd1UjirVppE2D8tp38XK5WGn6nZoDACPmebVXgocRJcwIfwoWR0CNcSqN81j5gT6D9 sSJLQKCSfTIhPVu/UpCDoDEGqRAKm95MqxLXyB5rbIIqCCpHXRUexf9NUxjRBpHobvD2 mE/Zym86zdtZn53cdXiABchYCMkBS0Cs7cJXam1wAwfgZIHRXCPUn+DXOgvshqkk/spO hOFWWbjuHLubp85fOG4piAYyxW1L4mAl9Ov+eAxTT6/uSQu+ZUzBg2g5/4Pxma2Pg8XA xuPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=meSIjZ0BPANUIdkHYD3G5hsrkblgpeJ+gepMEAOzVvI=; b=PTk7dckhjohdJ2UUIjJ/7Hm9cZbHD0BEVcBuKC/bM2gr5zUQbU8NlEINgfyuw7PYbR R12ls+PTnRXgocLjgZhh+QaAa8LHAzIvINjkbilMW5QOZw72LTv+dgEy8QWfdUw+sT6v TKdFX9nK/s/T7law6EWxRIuawfjpSAJuagvKc2WJSdQOeDpFitMHrG/ozg6Hu+MUDopU JN0nVqa7RKK6q0qTs9U0TvPq3a7KybEqz1f/dKh5NsfeSBmGftaBjpFQqdcXTPsJ0B7Y xCuK2krdVyBbAYwMVVQfPYZhzIOBwYoqpnu1zzU4pNy3eSwvYOrAWeVbXRKre3lQOTft +H2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=BKhi5bDG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 7si9465903oix.49.2020.02.04.15.45.13; Tue, 04 Feb 2020 15:45:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=BKhi5bDG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727755AbgBDXnW (ORCPT + 99 others); Tue, 4 Feb 2020 18:43:22 -0500 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:57861 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727534AbgBDXnV (ORCPT ); Tue, 4 Feb 2020 18:43:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1580859800; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=meSIjZ0BPANUIdkHYD3G5hsrkblgpeJ+gepMEAOzVvI=; b=BKhi5bDG2mF3FHSeaxsf5MZrQaBvHFsMJqmGTfn8GeZBVsPZghZ9CD5pA3nA73JflNV6xU oevjCXGgbiMpfvnuWRYgG1knOlN4EnEzkoPTmuHjK0SfdyWnh0k5pDCYtAo0wX+r6nqgT0 x6Lz2U8Vozb+bULjwcI/rB6LEJJKo3U= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-138-9ztUGwJdM76hyVQc14z62A-1; Tue, 04 Feb 2020 18:43:17 -0500 X-MC-Unique: 9ztUGwJdM76hyVQc14z62A-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 83704184AEA6; Tue, 4 Feb 2020 23:43:14 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-16.rdu2.redhat.com [10.10.112.16]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5B33B5D9E2; Tue, 4 Feb 2020 23:43:01 +0000 (UTC) Date: Tue, 4 Feb 2020 18:42:58 -0500 From: Richard Guy Briggs To: Paul Moore Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Subject: Re: [PATCH ghak90 V8 11/16] audit: add support for containerid to network namespaces Message-ID: <20200204234258.uwaqk3s3c42fxews@madcap2.tricolour.ca> References: <2954ed671a7622ddf3abdb8854dbba2ad13e9f33.1577736799.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-01-22 16:28, Paul Moore wrote: > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > > > This also adds support to qualify NETFILTER_PKT records. > > > > Audit events could happen in a network namespace outside of a task > > context due to packets received from the net that trigger an auditing > > rule prior to being associated with a running task. The network > > namespace could be in use by multiple containers by association to the > > tasks in that network namespace. We still want a way to attribute > > these events to any potential containers. Keep a list per network > > namespace to track these audit container identifiiers. > > > > Add/increment the audit container identifier on: > > - initial setting of the audit container identifier via /proc > > - clone/fork call that inherits an audit container identifier > > - unshare call that inherits an audit container identifier > > - setns call that inherits an audit container identifier > > Delete/decrement the audit container identifier on: > > - an inherited audit container identifier dropped when child set > > - process exit > > - unshare call that drops a net namespace > > - setns call that drops a net namespace > > > > Add audit container identifier auxiliary record(s) to NETFILTER_PKT > > event standalone records. Iterate through all potential audit container > > identifiers associated with a network namespace. > > > > Please see the github audit kernel issue for contid net support: > > https://github.com/linux-audit/audit-kernel/issues/92 > > Please see the github audit testsuiite issue for the test case: > > https://github.com/linux-audit/audit-testsuite/issues/64 > > Please see the github audit wiki for the feature overview: > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > > Signed-off-by: Richard Guy Briggs > > Acked-by: Neil Horman > > Reviewed-by: Ondrej Mosnacek > > --- > > include/linux/audit.h | 24 +++++++++ > > kernel/audit.c | 132 ++++++++++++++++++++++++++++++++++++++++++++++- > > kernel/nsproxy.c | 4 ++ > > net/netfilter/nft_log.c | 11 +++- > > net/netfilter/xt_AUDIT.c | 11 +++- > > 5 files changed, 176 insertions(+), 6 deletions(-) > > ... > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > index 5531d37a4226..ed8d5b74758d 100644 > > --- a/include/linux/audit.h > > +++ b/include/linux/audit.h > > @@ -12,6 +12,7 @@ > > #include > > #include > > #include > > +#include > > > > #define AUDIT_INO_UNSET ((unsigned long)-1) > > #define AUDIT_DEV_UNSET ((dev_t)-1) > > @@ -121,6 +122,13 @@ struct audit_task_info { > > > > extern struct audit_task_info init_struct_audit; > > > > +struct audit_contobj_netns { > > + struct list_head list; > > + u64 id; > > Since we now track audit container IDs in their own structure, why not > link directly to the audit container ID object (and bump the > refcount)? Ok, I've done this but at first I had doubts about the complexity. > > + refcount_t refcount; > > + struct rcu_head rcu; > > +}; > > + > > extern int is_audit_feature_set(int which); > > > > extern int __init audit_register_class(int class, unsigned *list); > > @@ -225,6 +233,12 @@ static inline u64 audit_get_contid(struct task_struct *tsk) > > } > > > > extern void audit_log_container_id(struct audit_context *context, u64 contid); > > +extern void audit_netns_contid_add(struct net *net, u64 contid); > > +extern void audit_netns_contid_del(struct net *net, u64 contid); > > +extern void audit_switch_task_namespaces(struct nsproxy *ns, > > + struct task_struct *p); > > +extern void audit_log_netns_contid_list(struct net *net, > > + struct audit_context *context); > > > > extern u32 audit_enabled; > > > > @@ -297,6 +311,16 @@ static inline u64 audit_get_contid(struct task_struct *tsk) > > > > static inline void audit_log_container_id(struct audit_context *context, u64 contid) > > { } > > +static inline void audit_netns_contid_add(struct net *net, u64 contid) > > +{ } > > +static inline void audit_netns_contid_del(struct net *net, u64 contid) > > +{ } > > +static inline void audit_switch_task_namespaces(struct nsproxy *ns, > > + struct task_struct *p) > > +{ } > > +static inline void audit_log_netns_contid_list(struct net *net, > > + struct audit_context *context) > > +{ } > > > > #define audit_enabled AUDIT_OFF > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index d4e6eafe5644..f7a8d3288ca0 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -59,6 +59,7 @@ > > #include > > #include > > #include > > +#include > > > > #include "audit.h" > > > > @@ -86,9 +87,13 @@ > > /** > > * struct audit_net - audit private network namespace data > > * @sk: communication socket > > + * @contid_list: audit container identifier list > > + * @contid_list_lock audit container identifier list lock > > */ > > struct audit_net { > > struct sock *sk; > > + struct list_head contid_list; > > + spinlock_t contid_list_lock; > > }; > > > > /** > > @@ -305,8 +310,11 @@ struct audit_task_info init_struct_audit = { > > void audit_free(struct task_struct *tsk) > > { > > struct audit_task_info *info = tsk->audit; > > + struct nsproxy *ns = tsk->nsproxy; > > > > audit_free_syscall(tsk); > > + if (ns) > > + audit_netns_contid_del(ns->net_ns, audit_get_contid(tsk)); > > /* Freeing the audit_task_info struct must be performed after > > * audit_log_exit() due to need for loginuid and sessionid. > > */ > > @@ -409,6 +417,120 @@ static struct sock *audit_get_sk(const struct net *net) > > return aunet->sk; > > } > > > > +void audit_netns_contid_add(struct net *net, u64 contid) > > +{ > > + struct audit_net *aunet; > > + struct list_head *contid_list; > > + struct audit_contobj_netns *cont; > > + > > + if (!net) > > + return; > > + if (!audit_contid_valid(contid)) > > + return; > > + aunet = net_generic(net, audit_net_id); > > + if (!aunet) > > + return; > > + contid_list = &aunet->contid_list; > > + rcu_read_lock(); > > + list_for_each_entry_rcu(cont, contid_list, list) > > + if (cont->id == contid) { > > + spin_lock(&aunet->contid_list_lock); > > + refcount_inc(&cont->refcount); > > + spin_unlock(&aunet->contid_list_lock); > > + goto out; > > + } > > + cont = kmalloc(sizeof(*cont), GFP_ATOMIC); > > + if (cont) { > > + INIT_LIST_HEAD(&cont->list); > > + cont->id = contid; > > + refcount_set(&cont->refcount, 1); > > + spin_lock(&aunet->contid_list_lock); > > + list_add_rcu(&cont->list, contid_list); > > + spin_unlock(&aunet->contid_list_lock); > > + } > > +out: > > + rcu_read_unlock(); > > +} > > See my comments about refcount_t, spinlocks, and list manipulation > races from earlier in the patchset; the same thing applies to the > function above. This was some of the complexity that concerned me, but switching to rcu read locks helped. In this case, since a stale list would cause an update issue and these counts aren't used or updated anywere else, switching to an int makes sense. > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635