Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp796490ybv;
        Wed, 5 Feb 2020 14:52:51 -0800 (PST)
X-Google-Smtp-Source: APXvYqxHCwAl5YFoYE/VETqwo2GO0KGXoJEkw/ZMvzufjvHg9MGvoTlLm42xEemrgRY7pf1S5vWC
X-Received: by 2002:aca:f08:: with SMTP id 8mr4969050oip.60.1580943171237;
        Wed, 05 Feb 2020 14:52:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1580943171; cv=none;
        d=google.com; s=arc-20160816;
        b=o4j2GWR5JHlp6V+bCym9IGoe+hGnbBQfSNpRhNgjtvYAZRLLkXdzGlFCsFkl8okfSE
         vjLo/iyaN5xaSyP/nbS0kBb5/8iDtj0bApnJJW4L/oWAgYLyD4EsiSAwo0r2i3EBBaR6
         jYw8i4M6nGfM8LFzBiEtI9mkoV4rL7mEUaZG/K430FfxMqgoyC9bWvLpNMX0WwDeIs3f
         ZngbtCXr77tUkw7FRqmztrxfQJad0UiFZhC7P4PGRZUQECJjbH5rE6OF2w0qluaw+6UH
         jrtBCUsFwU+4gJUQNn/s8eMED7sUvxDGkF/Wt2YjhiopzW6HQ3oWghAojjo3eHaPFFMM
         ZKag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=KkJqADdzREDp4wpCa3aAuBXzYy2a7dWtxmQqACuBiLA=;
        b=qNdVKDP6wTHqffp7yl4ndTA6MA7B96iFAyg0pk6GUBYBg6HZHMwKEgKFsZKkU7S5Bu
         RgTRjUaP/MH+FU4csc1Dy/JrprR/VG9g4IXns0wsueSTZrbBcfXItRF6RTnusFtxdfBQ
         DeFLv7IqNkl9b4UYzOCvJwOhY3SrAKQI3nb4h3EghrVizkGzlKZEuolcX3HKGQiNynWd
         y+aTUqN8PFs8BZ4WVVi42Le5YABQY3Esy9Z7DZhBkaoRQbEFG2i9ESHJKiVHEWbzvbIv
         WNdP5Goge6SmqakLE6d//LyGbuR5474gYpXpx4uPXrxaUl34tr7db3NTmqLdrmHTWxvp
         Alwg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=tlFhwg7f;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j65si630738otc.308.2020.02.05.14.52.39;
        Wed, 05 Feb 2020 14:52:51 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=tlFhwg7f;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727604AbgBEWvo (ORCPT <rfc822;vipinmukundan46@gmail.com>
        + 99 others); Wed, 5 Feb 2020 17:51:44 -0500
Received: from mail-ed1-f67.google.com ([209.85.208.67]:46688 "EHLO
        mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727615AbgBEWvn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 5 Feb 2020 17:51:43 -0500
Received: by mail-ed1-f67.google.com with SMTP id m8so3818230edi.13
        for <linux-kernel@vger.kernel.org>; Wed, 05 Feb 2020 14:51:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=KkJqADdzREDp4wpCa3aAuBXzYy2a7dWtxmQqACuBiLA=;
        b=tlFhwg7fuSsr9lDMyg/hJyhV9/r+SA/pNtn3GhTpEFeVNqw8D7oPmYV55YrajcvhPi
         6USVBo6kXicLmvv6Bg2Y0ha0tk2Nay7mXyPilZSuO9GsGXq5p9msM1TW1ThqpEKIk6TO
         4/OQyO/ulzcMerTQGaeD0VryqdPshEHuhKpG+unQcWhv6sPRbnKksfprLCn66VInLREd
         Je6wlsaG5QsXqkI7MrdKq8b444s9J9M4EeNMgElcAD+QNFZ/daBRaPIp/Nv+OU/SgL9L
         aTwx//Ff6J7OlQ/9BFdzCkZlg1MXq+nUXXnJiTXBCnSxNct/pUB8o87OQuSAcShpAQtW
         d60Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=KkJqADdzREDp4wpCa3aAuBXzYy2a7dWtxmQqACuBiLA=;
        b=kO0pXF2EcjJ3ot/XWls3GCbRyapJdSWAl02LzusvCtrCHbd4vpkS65ynZShR+Jy4kQ
         ie25YEwBiL0Lk6ogj/DTvProHr1WaHxdc1lePCha2ByWc9PGRWpm5ixzNGSvBrZkcadn
         5/fWJ1l8GK5KJ1xMPxy2OM+CxhAaaIzymFJkyNY/Nxr0khEXWFdHKNoBAUykboYH4Y+4
         KV7aK6Gi1jiEqB9kfAJeyJ3/UTcinUuVxgvgx49otJufTmjmcM7Jj6kB2U08OgIyX7Nz
         93rxR9HVpCzXfEmDWeQoIuz1F+rfDM8dZ7RjQY8KCqdCC8E85ZBYpI1ySvl3b2dlcUCr
         2vMA==
X-Gm-Message-State: APjAAAWY15BqwvG9ckLxYzmT9GDuNbEDGV1T9VTdNTHJvmdYEWykqTuW
        PPFr2RZJquxylV2Irgmi+fpLkUHaXvzdFBJBvSpB
X-Received: by 2002:a50:e108:: with SMTP id h8mr394067edl.196.1580943101124;
 Wed, 05 Feb 2020 14:51:41 -0800 (PST)
MIME-Version: 1.0
References: <cover.1577736799.git.rgb@redhat.com> <2954ed671a7622ddf3abdb8854dbba2ad13e9f33.1577736799.git.rgb@redhat.com>
 <CAHC9VhRw3Fj9-hi+Vj8JJb_GXM4B9N5hRXa9H6aQkuuFqJJ15w@mail.gmail.com> <20200204234258.uwaqk3s3c42fxews@madcap2.tricolour.ca>
In-Reply-To: <20200204234258.uwaqk3s3c42fxews@madcap2.tricolour.ca>
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 5 Feb 2020 17:51:30 -0500
Message-ID: <CAHC9VhT0NELsrEeTmX15GaZ1SE-qZiQmz9-WweRGWRPcGN5EmA@mail.gmail.com>
Subject: Re: [PATCH ghak90 V8 11/16] audit: add support for containerid to
 network namespaces
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     containers@lists.linux-foundation.org, linux-api@vger.kernel.org,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
        sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com,
        simo@redhat.com, Eric Paris <eparis@parisplace.org>,
        Serge Hallyn <serge@hallyn.com>, ebiederm@xmission.com,
        nhorman@tuxdriver.com, Dan Walsh <dwalsh@redhat.com>,
        mpatel@redhat.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Feb 4, 2020 at 6:43 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2020-01-22 16:28, Paul Moore wrote:
> > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > >
> > > This also adds support to qualify NETFILTER_PKT records.
> > >
> > > Audit events could happen in a network namespace outside of a task
> > > context due to packets received from the net that trigger an auditing
> > > rule prior to being associated with a running task.  The network
> > > namespace could be in use by multiple containers by association to the
> > > tasks in that network namespace.  We still want a way to attribute
> > > these events to any potential containers.  Keep a list per network
> > > namespace to track these audit container identifiiers.
> > >
> > > Add/increment the audit container identifier on:
> > > - initial setting of the audit container identifier via /proc
> > > - clone/fork call that inherits an audit container identifier
> > > - unshare call that inherits an audit container identifier
> > > - setns call that inherits an audit container identifier
> > > Delete/decrement the audit container identifier on:
> > > - an inherited audit container identifier dropped when child set
> > > - process exit
> > > - unshare call that drops a net namespace
> > > - setns call that drops a net namespace
> > >
> > > Add audit container identifier auxiliary record(s) to NETFILTER_PKT
> > > event standalone records.  Iterate through all potential audit container
> > > identifiers associated with a network namespace.
> > >
> > > Please see the github audit kernel issue for contid net support:
> > >   https://github.com/linux-audit/audit-kernel/issues/92
> > > Please see the github audit testsuiite issue for the test case:
> > >   https://github.com/linux-audit/audit-testsuite/issues/64
> > > Please see the github audit wiki for the feature overview:
> > >   https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > Acked-by: Neil Horman <nhorman@tuxdriver.com>
> > > Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > >  include/linux/audit.h    |  24 +++++++++
> > >  kernel/audit.c           | 132 ++++++++++++++++++++++++++++++++++++++++++++++-
> > >  kernel/nsproxy.c         |   4 ++
> > >  net/netfilter/nft_log.c  |  11 +++-
> > >  net/netfilter/xt_AUDIT.c |  11 +++-
> > >  5 files changed, 176 insertions(+), 6 deletions(-)
> >
> > ...
> >
> > > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > > index 5531d37a4226..ed8d5b74758d 100644
> > > --- a/include/linux/audit.h
> > > +++ b/include/linux/audit.h
> > > @@ -12,6 +12,7 @@
> > >  #include <linux/sched.h>
> > >  #include <linux/ptrace.h>
> > >  #include <uapi/linux/audit.h>
> > > +#include <linux/refcount.h>
> > >
> > >  #define AUDIT_INO_UNSET ((unsigned long)-1)
> > >  #define AUDIT_DEV_UNSET ((dev_t)-1)
> > > @@ -121,6 +122,13 @@ struct audit_task_info {
> > >
> > >  extern struct audit_task_info init_struct_audit;
> > >
> > > +struct audit_contobj_netns {
> > > +       struct list_head        list;
> > > +       u64                     id;
> >
> > Since we now track audit container IDs in their own structure, why not
> > link directly to the audit container ID object (and bump the
> > refcount)?
>
> Ok, I've done this but at first I had doubts about the complexity.

Yes, it will be more complex, but it should be much safer.

-- 
paul moore
www.paul-moore.com