Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp1087079ybh;
        Wed, 18 Mar 2020 14:51:12 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vtC7ZvyqUlniiwqQ0wA58/0GS5aY3L6lphMPjNJ8fepSEze7tSWt+8EP50QPMvwMSiliL8s
X-Received: by 2002:a05:6830:120f:: with SMTP id r15mr5541780otp.90.1584568272122;
        Wed, 18 Mar 2020 14:51:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584568272; cv=none;
        d=google.com; s=arc-20160816;
        b=KeywOniRmmjlaVzZFBNL+9AFOSh8qhd1R43oQfteCFRh4o0L3H/aFqvjk1i607u9ka
         721DftQSXcqqdlv4jkRd4LwuJ1cjtJ/Op4R24ThR67xHK0Pjf7KkXSnbHwNaKXRuDMRZ
         AQtLiGJPt8VEqcsgUM9AppYQJKCMSLa3XbXon9l2L6DR4Y+3lfwiYsl/D8DzeFqm4la2
         tv6z2ChZQVz6+gV0uMVA/njIzz6ZM4N0BzNaijkSzSyclnKJCqMINmsx7zJtlmQ1C69Y
         /y3Ox7QVKi48j58mefMoLclNSFhEOVKP1FpO5SAYMwluRp0wPOfrh49LkDACZCzXOvWv
         ajlw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=jSbmM7deMijcGQ2Njr0obFK5q42A00wv1XC6bXtNHSs=;
        b=K1a/RnfxNGvwpUusoo5nJQBaTisPGSuWhPmEKSOylMaoDaY/YfVVsAtulCDAIWCHPT
         ETy35yMztozn45Q3uXMDrt9Q5Mh/DUn1Afb4RTVHFF6ZG5+zhrkwdd+N81GJJlVfNArB
         H0CBQbJmLY18LA5KNMWcg29KW4NSRM31cbW2s+ZLIqPnK7cI7N8pma+B8KSd+JB5nIBq
         GbxFcHDcajheCoRtvke5DvM4erVjmG6dgjdUWSnjQdeW8aABAL+FyLp5kHBzAJyZCpFS
         nAcmad+DyM/AnEfKLng8HSYJlmQoWVCo9VBxt50XfYrLz4rti14bUL8yi1M+XSbUfb0B
         Z7Ew==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T4F+0zg1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l25si3819598oii.205.2020.03.18.14.50.58;
        Wed, 18 Mar 2020 14:51:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T4F+0zg1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727195AbgCRVsB (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Wed, 18 Mar 2020 17:48:01 -0400
Received: from mail-ed1-f68.google.com ([209.85.208.68]:33577 "EHLO
        mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727186AbgCRVsB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Mar 2020 17:48:01 -0400
Received: by mail-ed1-f68.google.com with SMTP id z65so45646ede.0
        for <linux-kernel@vger.kernel.org>; Wed, 18 Mar 2020 14:47:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=jSbmM7deMijcGQ2Njr0obFK5q42A00wv1XC6bXtNHSs=;
        b=T4F+0zg1O4tCjiTKCeojQKo/2Vtz1Y+alVLD9/3BaXATvaIH/n9YlZXNzm44rRIYbc
         /F5yX5PPdgh6l01fK9Gc10RKTceI3FKoMamsMY7hRmF0avd+AHmIzQx36bFZmvXUv3WA
         EvoGBOAqVPPUfit4G9+GonZdu56r9uGVHxzjN4hKfT0wxiYfjbDnp6J0f3ZqDddnq+2k
         cyBGj7HLAeLnxb7lU/gUixuR6E1k3WHUyCQ/ClL6F7PlGcFYjaOKkhpgPPSb+URJI5vX
         hlLE/L/hNKSs2ia2J+nArMBJNI5rRs49r+Pxi72D9WYQ8pY6L5sMGpDq0zB1ajX5b02A
         uXHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=jSbmM7deMijcGQ2Njr0obFK5q42A00wv1XC6bXtNHSs=;
        b=RnDQWwngrSiVArTdieRVkonGx517WbBsjE4ocB8eISMsLBPlKHfJ5Udc9LZEmCasLy
         bX8AJZ//R7ZTbAxtf23W/qrLiQUNaSmKmsB1SpLTgzpaPbQNK5URmFkL5Nne+5MdIsyd
         p391qP+j+wxWXOAfHu6P2X+GLCY+ShYpY4+rVD28oUb4xV/Dr1jAqufycNb6c49XPW5/
         KW7u5NZ5pDnmSNMn0BLV/R1UULXwJ95oNreiZlkzMLjdXBL4sKaiDd9GktPJsEvJZSDa
         wNfuu9M3QMgdt46fwWh/KSSe35gf+pdkm/ofVskv5yjH7TMDiBMWgn7BUaionzypfcwZ
         6pWw==
X-Gm-Message-State: ANhLgQ0HoziPDRCQOpzbQjAox9kOfjDVnBFxpUkaYUNRQzWi7wjqrMfu
        QamwcFLclMW/bPmAWBcf1dcvt6sAKqirBVpcV7j/
X-Received: by 2002:a17:906:7a46:: with SMTP id i6mr281388ejo.95.1584568078394;
 Wed, 18 Mar 2020 14:47:58 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1577736799.git.rgb@redhat.com> <20200204231454.oxa7pyvuxbj466fj@madcap2.tricolour.ca>
 <CAHC9VhQquokw+7UOU=G0SsD35UdgmfysVKCGCE87JVaoTkbisg@mail.gmail.com>
 <3142237.YMNxv0uec1@x2> <CAHC9VhTiCHQbp2SwK0Xb1QgpUZxOQ26JKKPsVGT0ZvMqx28oPQ@mail.gmail.com>
 <20200312202733.7kli64zsnqc4mrd2@madcap2.tricolour.ca> <CAHC9VhS9DtxJ4gvOfMRnzoo6ccGJVKL+uZYe6qqH+SPqD8r01Q@mail.gmail.com>
 <20200313192306.wxey3wn2h4htpccm@madcap2.tricolour.ca> <CAHC9VhQKOpVWxDg-tWuCWV22QRu8P_NpFKme==0Ot1RQKa_DWA@mail.gmail.com>
 <20200318214154.ycxy5dl4pxno6fvi@madcap2.tricolour.ca>
In-Reply-To: <20200318214154.ycxy5dl4pxno6fvi@madcap2.tricolour.ca>
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 18 Mar 2020 17:47:47 -0400
Message-ID: <CAHC9VhSuMnd3-ci2Bx-xJ0yscQ=X8ZqFAcNPKpbh_ZWN3FJcuQ@mail.gmail.com>
Subject: Re: [PATCH ghak90 V8 07/16] audit: add contid support for signalling
 the audit daemon
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com,
        nhorman@tuxdriver.com, linux-api@vger.kernel.org,
        containers@lists.linux-foundation.org,
        LKML <linux-kernel@vger.kernel.org>, dhowells@redhat.com,
        netfilter-devel@vger.kernel.org, ebiederm@xmission.com,
        simo@redhat.com, netdev@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, Eric Paris <eparis@parisplace.org>,
        mpatel@redhat.com, Serge Hallyn <serge@hallyn.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 18, 2020 at 5:42 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2020-03-18 17:01, Paul Moore wrote:
> > On Fri, Mar 13, 2020 at 3:23 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > > On 2020-03-13 12:42, Paul Moore wrote:
> >
> > ...
> >
> > > > The thread has had a lot of starts/stops, so I may be repeating a
> > > > previous suggestion, but one idea would be to still emit a "death
> > > > record" when the final task in the audit container ID does die, but
> > > > block the particular audit container ID from reuse until it the
> > > > SIGNAL2 info has been reported.  This gives us the timely ACID death
> > > > notification while still preventing confusion and ambiguity caused by
> > > > potentially reusing the ACID before the SIGNAL2 record has been sent;
> > > > there is a small nit about the ACID being present in the SIGNAL2
> > > > *after* its death, but I think that can be easily explained and
> > > > understood by admins.
> > >
> > > Thinking quickly about possible technical solutions to this, maybe it
> > > makes sense to have two counters on a contobj so that we know when the
> > > last process in that container exits and can issue the death
> > > certificate, but we still block reuse of it until all further references
> > > to it have been resolved.  This will likely also make it possible to
> > > report the full contid chain in SIGNAL2 records.  This will eliminate
> > > some of the issues we are discussing with regards to passing a contobj
> > > vs a contid to the audit_log_contid function, but won't eliminate them
> > > all because there are still some contids that won't have an object
> > > associated with them to make it impossible to look them up in the
> > > contobj lists.
> >
> > I'm not sure you need a full second counter, I imagine a simple flag
> > would be okay.  I think you just something to indicate that this ACID
> > object is marked as "dead" but it still being held for sanity reasons
> > and should not be reused.
>
> Ok, I see your point.  This refcount can be changed to a flag easily
> enough without change to the api if we can be sure that more than one
> signal can't be delivered to the audit daemon *and* collected by sig2.
> I'll have a more careful look at the audit daemon code to see if I can
> determine this.

Maybe I'm not understanding your concern, but this isn't really
different than any of the other things we track for the auditd signal
sender, right?  If we are worried about multiple signals being sent
then it applies to everything, not just the audit container ID.

> Another question occurs to me is that what if the audit daemon is sent a
> signal and it cannot or will not collect the sig2 information from the
> kernel (SIGKILL?)?  Does that audit container identifier remain dead
> until reboot, or do we institute some other form of reaping, possibly
> time-based?

In order to preserve the integrity of the audit log that ACID value
would need to remain unavailable until the ACID which contains the
associated auditd is "dead" (no one can request the signal sender's
info if that container is dead).

-- 
paul moore
www.paul-moore.com