Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp796490ybv; Wed, 5 Feb 2020 14:52:51 -0800 (PST) X-Google-Smtp-Source: APXvYqxHCwAl5YFoYE/VETqwo2GO0KGXoJEkw/ZMvzufjvHg9MGvoTlLm42xEemrgRY7pf1S5vWC X-Received: by 2002:aca:f08:: with SMTP id 8mr4969050oip.60.1580943171237; Wed, 05 Feb 2020 14:52:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580943171; cv=none; d=google.com; s=arc-20160816; b=o4j2GWR5JHlp6V+bCym9IGoe+hGnbBQfSNpRhNgjtvYAZRLLkXdzGlFCsFkl8okfSE vjLo/iyaN5xaSyP/nbS0kBb5/8iDtj0bApnJJW4L/oWAgYLyD4EsiSAwo0r2i3EBBaR6 jYw8i4M6nGfM8LFzBiEtI9mkoV4rL7mEUaZG/K430FfxMqgoyC9bWvLpNMX0WwDeIs3f ZngbtCXr77tUkw7FRqmztrxfQJad0UiFZhC7P4PGRZUQECJjbH5rE6OF2w0qluaw+6UH jrtBCUsFwU+4gJUQNn/s8eMED7sUvxDGkF/Wt2YjhiopzW6HQ3oWghAojjo3eHaPFFMM ZKag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=KkJqADdzREDp4wpCa3aAuBXzYy2a7dWtxmQqACuBiLA=; b=qNdVKDP6wTHqffp7yl4ndTA6MA7B96iFAyg0pk6GUBYBg6HZHMwKEgKFsZKkU7S5Bu RgTRjUaP/MH+FU4csc1Dy/JrprR/VG9g4IXns0wsueSTZrbBcfXItRF6RTnusFtxdfBQ DeFLv7IqNkl9b4UYzOCvJwOhY3SrAKQI3nb4h3EghrVizkGzlKZEuolcX3HKGQiNynWd y+aTUqN8PFs8BZ4WVVi42Le5YABQY3Esy9Z7DZhBkaoRQbEFG2i9ESHJKiVHEWbzvbIv WNdP5Goge6SmqakLE6d//LyGbuR5474gYpXpx4uPXrxaUl34tr7db3NTmqLdrmHTWxvp Alwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=tlFhwg7f; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j65si630738otc.308.2020.02.05.14.52.39; Wed, 05 Feb 2020 14:52:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=tlFhwg7f; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727604AbgBEWvo (ORCPT + 99 others); Wed, 5 Feb 2020 17:51:44 -0500 Received: from mail-ed1-f67.google.com ([209.85.208.67]:46688 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727615AbgBEWvn (ORCPT ); Wed, 5 Feb 2020 17:51:43 -0500 Received: by mail-ed1-f67.google.com with SMTP id m8so3818230edi.13 for ; Wed, 05 Feb 2020 14:51:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KkJqADdzREDp4wpCa3aAuBXzYy2a7dWtxmQqACuBiLA=; b=tlFhwg7fuSsr9lDMyg/hJyhV9/r+SA/pNtn3GhTpEFeVNqw8D7oPmYV55YrajcvhPi 6USVBo6kXicLmvv6Bg2Y0ha0tk2Nay7mXyPilZSuO9GsGXq5p9msM1TW1ThqpEKIk6TO 4/OQyO/ulzcMerTQGaeD0VryqdPshEHuhKpG+unQcWhv6sPRbnKksfprLCn66VInLREd Je6wlsaG5QsXqkI7MrdKq8b444s9J9M4EeNMgElcAD+QNFZ/daBRaPIp/Nv+OU/SgL9L aTwx//Ff6J7OlQ/9BFdzCkZlg1MXq+nUXXnJiTXBCnSxNct/pUB8o87OQuSAcShpAQtW d60Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KkJqADdzREDp4wpCa3aAuBXzYy2a7dWtxmQqACuBiLA=; b=kO0pXF2EcjJ3ot/XWls3GCbRyapJdSWAl02LzusvCtrCHbd4vpkS65ynZShR+Jy4kQ ie25YEwBiL0Lk6ogj/DTvProHr1WaHxdc1lePCha2ByWc9PGRWpm5ixzNGSvBrZkcadn 5/fWJ1l8GK5KJ1xMPxy2OM+CxhAaaIzymFJkyNY/Nxr0khEXWFdHKNoBAUykboYH4Y+4 KV7aK6Gi1jiEqB9kfAJeyJ3/UTcinUuVxgvgx49otJufTmjmcM7Jj6kB2U08OgIyX7Nz 93rxR9HVpCzXfEmDWeQoIuz1F+rfDM8dZ7RjQY8KCqdCC8E85ZBYpI1ySvl3b2dlcUCr 2vMA== X-Gm-Message-State: APjAAAWY15BqwvG9ckLxYzmT9GDuNbEDGV1T9VTdNTHJvmdYEWykqTuW PPFr2RZJquxylV2Irgmi+fpLkUHaXvzdFBJBvSpB X-Received: by 2002:a50:e108:: with SMTP id h8mr394067edl.196.1580943101124; Wed, 05 Feb 2020 14:51:41 -0800 (PST) MIME-Version: 1.0 References: <2954ed671a7622ddf3abdb8854dbba2ad13e9f33.1577736799.git.rgb@redhat.com> <20200204234258.uwaqk3s3c42fxews@madcap2.tricolour.ca> In-Reply-To: <20200204234258.uwaqk3s3c42fxews@madcap2.tricolour.ca> From: Paul Moore Date: Wed, 5 Feb 2020 17:51:30 -0500 Message-ID: Subject: Re: [PATCH ghak90 V8 11/16] audit: add support for containerid to network namespaces To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 4, 2020 at 6:43 PM Richard Guy Briggs wrote: > On 2020-01-22 16:28, Paul Moore wrote: > > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > > > > > This also adds support to qualify NETFILTER_PKT records. > > > > > > Audit events could happen in a network namespace outside of a task > > > context due to packets received from the net that trigger an auditing > > > rule prior to being associated with a running task. The network > > > namespace could be in use by multiple containers by association to the > > > tasks in that network namespace. We still want a way to attribute > > > these events to any potential containers. Keep a list per network > > > namespace to track these audit container identifiiers. > > > > > > Add/increment the audit container identifier on: > > > - initial setting of the audit container identifier via /proc > > > - clone/fork call that inherits an audit container identifier > > > - unshare call that inherits an audit container identifier > > > - setns call that inherits an audit container identifier > > > Delete/decrement the audit container identifier on: > > > - an inherited audit container identifier dropped when child set > > > - process exit > > > - unshare call that drops a net namespace > > > - setns call that drops a net namespace > > > > > > Add audit container identifier auxiliary record(s) to NETFILTER_PKT > > > event standalone records. Iterate through all potential audit container > > > identifiers associated with a network namespace. > > > > > > Please see the github audit kernel issue for contid net support: > > > https://github.com/linux-audit/audit-kernel/issues/92 > > > Please see the github audit testsuiite issue for the test case: > > > https://github.com/linux-audit/audit-testsuite/issues/64 > > > Please see the github audit wiki for the feature overview: > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > > > Signed-off-by: Richard Guy Briggs > > > Acked-by: Neil Horman > > > Reviewed-by: Ondrej Mosnacek > > > --- > > > include/linux/audit.h | 24 +++++++++ > > > kernel/audit.c | 132 ++++++++++++++++++++++++++++++++++++++++++++++- > > > kernel/nsproxy.c | 4 ++ > > > net/netfilter/nft_log.c | 11 +++- > > > net/netfilter/xt_AUDIT.c | 11 +++- > > > 5 files changed, 176 insertions(+), 6 deletions(-) > > > > ... > > > > > diff --git a/include/linux/audit.h b/include/linux/audit.h > > > index 5531d37a4226..ed8d5b74758d 100644 > > > --- a/include/linux/audit.h > > > +++ b/include/linux/audit.h > > > @@ -12,6 +12,7 @@ > > > #include > > > #include > > > #include > > > +#include > > > > > > #define AUDIT_INO_UNSET ((unsigned long)-1) > > > #define AUDIT_DEV_UNSET ((dev_t)-1) > > > @@ -121,6 +122,13 @@ struct audit_task_info { > > > > > > extern struct audit_task_info init_struct_audit; > > > > > > +struct audit_contobj_netns { > > > + struct list_head list; > > > + u64 id; > > > > Since we now track audit container IDs in their own structure, why not > > link directly to the audit container ID object (and bump the > > refcount)? > > Ok, I've done this but at first I had doubts about the complexity. Yes, it will be more complex, but it should be much safer. -- paul moore www.paul-moore.com