Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1379098ybh; Mon, 13 Jul 2020 17:46:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxdqIR5YF32huxScn1Wbf/Ty257koQXL5OQJVjblPCZu9L60DzOHez9H6yGoKV6ZVrLDhWD X-Received: by 2002:a50:8adb:: with SMTP id k27mr1883891edk.267.1594687603399; Mon, 13 Jul 2020 17:46:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594687603; cv=none; d=google.com; s=arc-20160816; b=ZDt9ClP/MFgP1Bgp2J5sD4ZWSil2PnhiwEOBgjXhZWOC1tagHTmiGoNHgxl42i+z7M Vrf4EJ/qHLINniE1u5ll5uMqGULU9wz/8DsGc6x2wjiUeps5WRR9oZ17wNhzBbjlR5eb CKgpz5liuNpvgYf6NuwVvA3VyD11UmR62357dmzdXqfTAQJODldLaoE5lJtJ/lHsuEZy K4QfyIMwOoGuJ6tVBFvQ1gJ4V/fnaY/2t8T1UAQ22ueAcLCO7gldH9HM2j2b2dirVnko 3ayAWaaOm5vPO7eXBkzKPDbbON2TM7+rBR7TM8LQ2rqEXDesG750qXPiL70dj9XzZwbc uiLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=bmkyDT2Ok5AKFPTzejs90EKhv0LPiFP9AWMW7s63JrQ=; b=Be6s10Hu4tn7zdl6nQ6hs/Bz2Oaf/ai9VuOhKMgsLusAxTEFqasdMG2t0G1lUkUfCG xMS8fTbaZsgMdsnH3Sye4XCszDacm1+jHYIRlpcFnzUvxm1cCUFeM53E+H9UsaD2W7SG byhiy6FkhyQoXjmELP5qYuQwtdK5evoAsDzJqwzDWz2tcBrCac3olA6T7PeQUzajFgYQ sWOe9683HlwoOwSsGA9AhaGEA7GUoQzgwC7gKQjTuBmzIKjzDg5uBuDr6CW8iA9xVWL4 cfFgEPRB6RgmBUrjX7vm5L8YbD3QB6AEhp4vvBulYhWYcUWaSZupsp2xP7trxi53k6Qg BHzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Jg0UAal5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m8si10544013edv.543.2020.07.13.17.46.19; Mon, 13 Jul 2020 17:46:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Jg0UAal5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726996AbgGNApM (ORCPT + 99 others); Mon, 13 Jul 2020 20:45:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40044 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726257AbgGNApL (ORCPT ); Mon, 13 Jul 2020 20:45:11 -0400 Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A20C7C061755 for ; Mon, 13 Jul 2020 17:45:10 -0700 (PDT) Received: by mail-ed1-x541.google.com with SMTP id by13so15381412edb.11 for ; Mon, 13 Jul 2020 17:45:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bmkyDT2Ok5AKFPTzejs90EKhv0LPiFP9AWMW7s63JrQ=; b=Jg0UAal5+4ko6u58hgMcHJj+uPsQ3LKmIcb61aCtyM4jaS3QWcAOCy0OObnsCpkXUU ISOHXxoeLc2wCXHvajiQfNFdrMJ7CZz0MIzF+f971d/Gfu7vDxvayh7mhP2svb+qf2K1 YjCKpJmEeHMPjbQgTcGGPjMJ2K/Bh+qYoKC+z1uXDQYgcZeKcEhWagYje7djbIKDgWYJ AYe/bLL7xIkCn1F4CcRszKPFnDbSkFF4fiY64ouwJMLevX6CoCQo+zUsKxKywrzWL6JY EIXB9J4+THNCUiMEJXbr8YqqIliuE2LBwznBkdqqenwgZ5vW4MfNPwXn4hh3McNhiyp1 6Lpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bmkyDT2Ok5AKFPTzejs90EKhv0LPiFP9AWMW7s63JrQ=; b=O3Ycpgf/Kf9YvTZucCSIRjJrIQi1NiIYCpPx3MSAJ9S1LlZkplFB3d56BP8jAn5cYd 37YNZz2jxVwk2CqcJfEhWkZBoXK2TpHIDztDASVj0dFoCSWAYFW9zb/O5fWIXo1dhKDP tLDghZqd84sNfghi8+RMegQ+g6RLWAJXPBnYRMH6jSsxeiqaPadwx1LZEV+fJCewo5vS +Yh0Kk4UBDyfBAGIQ3zo9t43PGg5Hfb1ZBE1XCgRVMiRi0/6oILNfpag7vCF+tONmKL4 p/IaQAUOWMsTCgxZL896C5ghfhulAOcWj0lI8YiHDTJyamHpV3c55AA8sAWGRuVk/82P uNJA== X-Gm-Message-State: AOAM530QTZOoqEYrBk/V7esYw7YHS0L8MP5GeKBoWS/g9Z5w5i0BVuMh NXjtt9B2UyUmMFTaW513BPr0nzVsHufhBM5GMluz X-Received: by 2002:a05:6402:1d89:: with SMTP id dk9mr1958150edb.31.1594687509148; Mon, 13 Jul 2020 17:45:09 -0700 (PDT) MIME-Version: 1.0 References: <6abeb26e64489fc29b00c86b60b501c8b7316424.1593198710.git.rgb@redhat.com> <20200707025014.x33eyxbankw2fbww@madcap2.tricolour.ca> <20200713202906.iiz435vjeedljcwf@madcap2.tricolour.ca> In-Reply-To: <20200713202906.iiz435vjeedljcwf@madcap2.tricolour.ca> From: Paul Moore Date: Mon, 13 Jul 2020 20:44:57 -0400 Message-ID: Subject: Re: [PATCH ghak90 V9 01/13] audit: collect audit task parameters To: Richard Guy Briggs Cc: nhorman@tuxdriver.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, LKML , dhowells@redhat.com, Linux-Audit Mailing List , netfilter-devel@vger.kernel.org, ebiederm@xmission.com, simo@redhat.com, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, Eric Paris , mpatel@redhat.com, Serge Hallyn Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 13, 2020 at 4:30 PM Richard Guy Briggs wrote: > On 2020-07-07 21:42, Paul Moore wrote: > > On Mon, Jul 6, 2020 at 10:50 PM Richard Guy Briggs wrote: > > > On 2020-07-05 11:09, Paul Moore wrote: > > > > On Sat, Jun 27, 2020 at 9:21 AM Richard Guy Briggs wrote: ... > > > > In the early days of this patchset we talked a lot about how to handle > > > > the task_struct and the changes that would be necessary, ultimately > > > > deciding that encapsulating all of the audit fields into an > > > > audit_task_info struct. However, what is puzzling me a bit at this > > > > moment is why we are only including audit_task_info in task_info by > > > > reference *and* making it a build time conditional (via CONFIG_AUDIT). > > > > > > > > If audit is enabled at build time it would seem that we are always > > > > going to allocate an audit_task_info struct, so I have to wonder why > > > > we don't simply embed it inside the task_info struct (similar to the > > > > seccomp struct in the snippet above? Of course the audit_context > > > > struct needs to remain as is, I'm talking only about the > > > > task_info/audit_task_info struct. > > > > > > I agree that including the audit_task_info struct in the struct > > > task_struct would have been preferred to simplify allocation and free, > > > but the reason it was included by reference instead was to make the > > > task_struct size independent of audit so that future changes would not > > > cause as many kABI challenges. This first change will cause kABI > > > challenges regardless, but it was future ones that we were trying to > > > ease. > > > > > > Does that match with your recollection? > > > > I guess, sure. I suppose what I was really asking was if we had a > > "good" reason for not embedding the audit_task_info struct. > > Regardless, thanks for the explanation, that was helpful. > > Making it dynamic was actually your idea back in the spring of 2018: > https://lkml.org/lkml/2018/4/18/759 If you read my comments from 2018 carefully, or even not so carefully I think, you'll notice that my primary motivation for using a pointer was to "hide" the audit_task_info struct contents so that they couldn't be abused by other kernel subsystems looking for a general container identifier inside the kernel. As we've discussed many times before, this patchset is not a general purpose container identifier, this is an ***audit*** container ID; limiting the scope and usage of this identifier is what has allowed us to gain the begrudging acceptance we've had thus far and I believe it is the key to success. For whatever it is worth, this patchset doesn't hide the audit_task_struct definition in a kernel/audit*.c file, it lives in a header file which is easily accessed by other subsystems. In my opinion we should pick one of two options: leave it as a pointer reference and "hide" the struct definition, or just embed the struct and simplify the code. I see little value in openly defining the audit_task_info struct and using a pointer reference; if you believe you have a valid argument for why this makes sense I'm open to hearing it, but your comments thus far have been unconvincing. > > > > Richard, I'm sure you can answer this off the top of your head, but > > > > I'd have to go digging through the archives to pull out the relevant > > > > discussions so I figured I would just ask you for a reminder ... ? I > > > > imagine it's also possible things have changed a bit since those early > > > > discussions and the solution we arrived at then no longer makes as > > > > much sense as it did before. > > > > > > Agreed, it doesn't make as much sense now as it did when proposed, but > > > will make more sense in the future depending on when this change gets > > > accepted upstream. This is why I wanted this patch to go through as > > > part of ghak81 at the time the rest of it did so that future kABI issues > > > would be easier to handle, but that ship has long sailed. > > > > To be clear, kABI issues with task_struct really aren't an issue with > > the upstream kernel. I know that you know all of this already > > Richard, I'm mostly talking to everyone else on the To/CC line in case > > they are casually watching this discussion. > > kABI issues may not as much of an upstream issue, but part of the goal > here was upstream kernel issues, isolating the kernel audit changes > to its own subsystem and affect struct task_struct as little as possible > in the future and to protect it from "abuse" (as you had expressed > serious concerns) from the rest of the kernel. include/linux/sched.h > will need to know more about struct audit_task_info if it is embedded, > making it more suceptible to abuse. I define "abuse" in this context as other kernel subsystems inspecting the contents of the audit_task_struct, most likely to try and approximate a general container identifier. Better separation between the audit subsystem and the task_struct, while conceptually nice, isn't critical and is easily changed upstream with each kernel release as it isn't part of the kernel/userspace API. Regardless, a basic conceptual separation is achieved by the audit_task_struct regardless of if it is embedded into the task_struct or included by a pointer reference. > > While I'm sympathetic to long-lifetime enterprise distros such as > > RHEL, my responsibility is to ensure the upstream kernel is as good as > > we can make it, and in this case I believe that means embedding > > audit_task_info into the task_struct. > > Keeping audit_task_info dynamic will also make embedding struct > audit_context as a zero-length array at the end of it possible in the > future as an internal audit subsystem optimization whereas largely > preclude that if it were embedded. Predicting the future is hard, but I would be comfortable giving up on a variable length audit_task_info struct. Besides, if we *really* had to do that in the future we could, it's not part of the kernel/userspace API. > This method has been well exercised over the last two years of > development, testing and rebases, so I'm not particularly concerned > about its dynamic nature any more. It works well. At this point this > change seems to be more gratuitously disruptive than helpful. It may not seem like it, but at this point in this patchset's life I do try to limit my comments to only those things which I feel are substantive. In the cases where I think something is borderline I'll mention that in my comments. The trivial cases I'll generally call out as "nitpicks". I assure you my comments are not gratuitous. I look forward to reviewing another round of this patchset about as much as I expect you look forward to writing, testing, and submitting it. > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > > index 468a23390457..f00c1da587ea 100644 > > > > > --- a/kernel/auditsc.c > > > > > +++ b/kernel/auditsc.c > > > > > @@ -1612,7 +1615,6 @@ void __audit_free(struct task_struct *tsk) > > > > > if (context->current_state == AUDIT_RECORD_CONTEXT) > > > > > audit_log_exit(); > > > > > } > > > > > - > > > > > audit_set_context(tsk, NULL); > > > > > audit_free_context(context); > > > > > } > > > > > > > > This nitpick is barely worth the time it is taking me to write this, > > > > but the whitespace change above isn't strictly necessary. > > > > > > Sure, it is a harmless but noisy cleanup when the function was being > > > cleaned up and renamed. It wasn't an accident, but a style preference. > > > Do you prefer a vertical space before cleanup actions at the end of > > > functions and more versus less vertical whitespace in general? > > > > As I mentioned above, this really was barely worth mentioning, but I > > made the comment simply because I feel this patchset is going to draw > > a lot of attention once it is merged and I feel keeping the patchset > > as small, and as focused, as possible is a good thing. > > Is this concern also affecting the perspective on the change from > pointer to embedded above? Keeping this particular patchset small and focused has always been a goal; I know we talked about this at least once, likely more than that, while I was still at RH and we were talking offline. If something is going to be contentious, it is better to be small and focused on the contention. -- paul moore www.paul-moore.com