Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3837210ybt;
        Sun, 5 Jul 2020 08:15:00 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyyQYq46UAEPjmDLo6POGh6vYfGDQfsQDdcVkdc66MTpDnlX2KVJ89Aj7N5x+nk08AA2lik
X-Received: by 2002:a17:906:87c8:: with SMTP id zb8mr39291531ejb.35.1593962100129;
        Sun, 05 Jul 2020 08:15:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1593962100; cv=none;
        d=google.com; s=arc-20160816;
        b=nAXlA3E5GFIh5PH2nLHE7vpyAgaqy+Ci7TXLa9rJm1cWjYuiq0EF6XPr/6XE6HDgfN
         UwecFl7HYD4v4TyiDI9oZlv2Vt5oA0E29HfLlvkj8ZTYBlJ1T54g+ROz+xOJJC8Japaz
         +mbjHpnYZkdAhXruqMwzBGcx/LgXubm2/59aNo6OJw1TaZD97ikUJN4GgQOLwDLB6QI/
         KZ63gRzeM7phqQdP6VpxAXngyxaSISdJ7ohfr5cBe8naL+65rSqt92bp4SAeYjPkkr6f
         M0u7xqq+b/NBgrulzRc/xObPyT9fffG0MC8M2FrV+kosfWlO4Na24saaWHs8KHdxH8UR
         /0oA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=KEtBGKGu7+F7kv2SoCb+jcPQSY3d8v9OKOQZlWY0FOw=;
        b=KAW0fWBc5YmKqZCSNjftUdBK+kCMQslN52gcZSgVt9Sm2O5XF+9jx3Usp+X8MXAUWJ
         SVTbkwD+8YQck10RnHaAYycrA2haJlB1IB5+xUpXjHi07bC0BzGCBlr4uqTlpxr0bJgE
         8jyzYqv0vgNs8poi7cJrGKKnYfRlgYWxPTPUQSuSLMLwlYNKsD4say1TmJhsyUEKJtG5
         rLQTFx3KICLApHZGdu16pBe/rEIUTXTuDBVnjC5MpFD+8FeGzsoovYd79OuDcwKlciC1
         hkxj0pV/nz36c90qqsXcjVyEjm/wqtSIKYiNm5xO2Ovne8eyrDJzS4Nk2duRKkmJ6Icm
         Y9Mw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="cUFTmXA/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u10si13405887edq.87.2020.07.05.08.14.37;
        Sun, 05 Jul 2020 08:15:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="cUFTmXA/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728071AbgGEPLz (ORCPT <rfc822;0330sisy@gmail.com> + 99 others);
        Sun, 5 Jul 2020 11:11:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39316 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727091AbgGEPLx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 5 Jul 2020 11:11:53 -0400
Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 849B4C061794
        for <linux-kernel@vger.kernel.org>; Sun,  5 Jul 2020 08:11:53 -0700 (PDT)
Received: by mail-ed1-x541.google.com with SMTP id h28so32375726edz.0
        for <linux-kernel@vger.kernel.org>; Sun, 05 Jul 2020 08:11:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=KEtBGKGu7+F7kv2SoCb+jcPQSY3d8v9OKOQZlWY0FOw=;
        b=cUFTmXA/DyAnDDYLg8ipvtwwYTnqfzvAaNvgPrFtpf0WHTtlMgF1J8JEYu+SztZCcN
         qY0T0sITN67xTjXr2olj+hlGjYD+kDPa9BvIYID3C9aUNWjKEKkN1WotcjaiAIwhfYVg
         dpsRVCmvS0LuYgCK01Gcp1Uc1xbXmFY6rn0oWYoTS686cxKm+hoFAZHkzriABSN8H0NR
         aEYHPPkebf+QX7omBXu2KcHuG27AfCpbD60BsfJhSGgFTdBW3ZqyXo4aqTT0mW1nXMsq
         USc3rqqqb7llr4PRpkZ3cnHVIMkicmS1ADVjxqC3y7wHUC2/1785plYpSFtkctgFbDur
         yOeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=KEtBGKGu7+F7kv2SoCb+jcPQSY3d8v9OKOQZlWY0FOw=;
        b=Iylyb6o3rz8K56YRe2Hui+Ksl9leTwrFXoLWf9B2NcsScaCkkVKZQmknIwrdG1afj8
         hSJMUBjwY3SRpKo8iS6qF/gTPnHW/XV6WUiY2jXV0vhr2aScSOXb0FajTpErelbRG1NP
         AM+Qve/LwdDMerQCPB51w1Ni5y6wkVgNzUN0srFWH8m7QbjKuk/kJ7F7hF8sclY5AQ9n
         FFgyPydcRwwXgHmmTR9HAa3FXDcWrWHooeEzqbNzw/T4pAzQlcDrdAQL1R/1zLgw6y6D
         vjsp5C0G3tfH38FLoKkZEfjLqYQjp04UTjuNXQJvrNotYi82Ku07bJRlLpxWXzwZ/2Cm
         XoFw==
X-Gm-Message-State: AOAM531hgpvMRwDwSKGPthUstyiBxL2dwMIC76z9rhV1TdmG6E+a6N6I
        Iyidt0Echx3fR0+CxKs87qzg+ro4F88JsrFtJtwM
X-Received: by 2002:a05:6402:742:: with SMTP id p2mr31354555edy.135.1593961912251;
 Sun, 05 Jul 2020 08:11:52 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1593198710.git.rgb@redhat.com> <1d793e2fc60650de4bbc9f4bde3c736c94efe9a1.1593198710.git.rgb@redhat.com>
In-Reply-To: <1d793e2fc60650de4bbc9f4bde3c736c94efe9a1.1593198710.git.rgb@redhat.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Sun, 5 Jul 2020 11:11:40 -0400
Message-ID: <CAHC9VhRU9+h-hXKJTuMnZfyOgiktOPMRzzgAP7+VSXV7COjJuw@mail.gmail.com>
Subject: Re: [PATCH ghak90 V9 12/13] audit: track container nesting
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     containers@lists.linux-foundation.org, linux-api@vger.kernel.org,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
        sgrubb@redhat.com, Ondrej Mosnacek <omosnace@redhat.com>,
        dhowells@redhat.com, simo@redhat.com,
        Eric Paris <eparis@parisplace.org>,
        Serge Hallyn <serge@hallyn.com>, ebiederm@xmission.com,
        nhorman@tuxdriver.com, Dan Walsh <dwalsh@redhat.com>,
        mpatel@redhat.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs <rgb@redhat.com> wrote:
>
> Track the parent container of a container to be able to filter and
> report nesting.
>
> Now that we have a way to track and check the parent container of a
> container, modify the contid field format to be able to report that
> nesting using a carrat ("^") modifier to indicate nesting.  The
> original field format was "contid=<contid>" for task-associated records
> and "contid=<contid>[,<contid>[...]]" for network-namespace-associated
> records.  The new field format is
> "contid=<contid>[,^<contid>[...]][,<contid>[...]]".

I feel like this is a case which could really benefit from an example
in the commit description showing multiple levels of nesting, with
some leaf audit container IDs at each level.  This way we have a
canonical example for people who want to understand how to parse the
list and properly sort out the inheritance.


> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  include/linux/audit.h |  1 +
>  kernel/audit.c        | 60 ++++++++++++++++++++++++++++++++++++++++++---------
>  kernel/audit.h        |  2 ++
>  kernel/auditfilter.c  | 17 ++++++++++++++-
>  kernel/auditsc.c      |  2 +-
>  5 files changed, 70 insertions(+), 12 deletions(-)

--
paul moore
www.paul-moore.com