From: Paul Moore <paul@paul-moore.com> To: Richard Guy Briggs <rgb@redhat.com> Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List <linux-audit@redhat.com>, linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris <eparis@parisplace.org>, Serge Hallyn <serge@hallyn.com>, ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh <dwalsh@redhat.com>, mpatel@redhat.com Subject: Re: [PATCH ghak90 V7 12/21] audit: add support for containerid to network namespaces Date: Thu, 10 Oct 2019 20:39:35 -0400 [thread overview] Message-ID: <CAHC9VhRgOTfZzzv+NxxH3D3FN-2A=cd2h1+oDc2cabLhzi4gfQ@mail.gmail.com> (raw) In-Reply-To: <91315ac64b44bcad9dfc623fa7fefe67d7d2561b.1568834524.git.rgb@redhat.com> On Wed, Sep 18, 2019 at 9:26 PM Richard Guy Briggs <rgb@redhat.com> wrote: > Audit events could happen in a network namespace outside of a task > context due to packets received from the net that trigger an auditing > rule prior to being associated with a running task. The network > namespace could be in use by multiple containers by association to the > tasks in that network namespace. We still want a way to attribute > these events to any potential containers. Keep a list per network > namespace to track these audit container identifiiers. > > Add/increment the audit container identifier on: > - initial setting of the audit container identifier via /proc > - clone/fork call that inherits an audit container identifier > - unshare call that inherits an audit container identifier > - setns call that inherits an audit container identifier > Delete/decrement the audit container identifier on: > - an inherited audit container identifier dropped when child set > - process exit > - unshare call that drops a net namespace > - setns call that drops a net namespace > > Please see the github audit kernel issue for contid net support: > https://github.com/linux-audit/audit-kernel/issues/92 > Please see the github audit testsuiite issue for the test case: > https://github.com/linux-audit/audit-testsuite/issues/64 > Please see the github audit wiki for the feature overview: > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Acked-by: Neil Horman <nhorman@tuxdriver.com> > Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > include/linux/audit.h | 19 +++++++++++ > kernel/audit.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++-- > kernel/nsproxy.c | 4 +++ > 3 files changed, 108 insertions(+), 2 deletions(-) ... > diff --git a/kernel/audit.c b/kernel/audit.c > index 7cdb76b38966..e0c27bc39925 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -373,6 +381,75 @@ static struct sock *audit_get_sk(const struct net *net) > return aunet->sk; > } > > +void audit_netns_contid_add(struct net *net, u64 contid) > +{ > + struct audit_net *aunet; > + struct list_head *contid_list; > + struct audit_contid *cont; > + > + if (!net) > + return; > + if (!audit_contid_valid(contid)) > + return; > + aunet = net_generic(net, audit_net_id); > + if (!aunet) > + return; > + contid_list = &aunet->contid_list; > + spin_lock(&aunet->contid_list_lock); > + list_for_each_entry_rcu(cont, contid_list, list) > + if (cont->id == contid) { > + refcount_inc(&cont->refcount); > + goto out; > + } > + cont = kmalloc(sizeof(struct audit_contid), GFP_ATOMIC); kmalloc(sizeof(*cont), GFP_ATOMIC) > + if (cont) { > + INIT_LIST_HEAD(&cont->list); > + cont->id = contid; > + refcount_set(&cont->refcount, 1); > + list_add_rcu(&cont->list, contid_list); > + } > +out: > + spin_unlock(&aunet->contid_list_lock); > +} -- paul moore www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com> To: Richard Guy Briggs <rgb@redhat.com> Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List <linux-audit@redhat.com>, linux-fsdevel@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris <eparis@parisplace.org>, Serge Hallyn <serge@hallyn.com>, ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh <dwalsh@redhat.com>, mpatel@redhat.com Subject: Re: [PATCH ghak90 V7 12/21] audit: add support for containerid to network namespaces Date: Thu, 10 Oct 2019 20:39:35 -0400 [thread overview] Message-ID: <CAHC9VhRgOTfZzzv+NxxH3D3FN-2A=cd2h1+oDc2cabLhzi4gfQ@mail.gmail.com> (raw) In-Reply-To: <91315ac64b44bcad9dfc623fa7fefe67d7d2561b.1568834524.git.rgb@redhat.com> On Wed, Sep 18, 2019 at 9:26 PM Richard Guy Briggs <rgb@redhat.com> wrote: > Audit events could happen in a network namespace outside of a task > context due to packets received from the net that trigger an auditing > rule prior to being associated with a running task. The network > namespace could be in use by multiple containers by association to the > tasks in that network namespace. We still want a way to attribute > these events to any potential containers. Keep a list per network > namespace to track these audit container identifiiers. > > Add/increment the audit container identifier on: > - initial setting of the audit container identifier via /proc > - clone/fork call that inherits an audit container identifier > - unshare call that inherits an audit container identifier > - setns call that inherits an audit container identifier > Delete/decrement the audit container identifier on: > - an inherited audit container identifier dropped when child set > - process exit > - unshare call that drops a net namespace > - setns call that drops a net namespace > > Please see the github audit kernel issue for contid net support: > https://github.com/linux-audit/audit-kernel/issues/92 > Please see the github audit testsuiite issue for the test case: > https://github.com/linux-audit/audit-testsuite/issues/64 > Please see the github audit wiki for the feature overview: > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > Acked-by: Neil Horman <nhorman@tuxdriver.com> > Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > include/linux/audit.h | 19 +++++++++++ > kernel/audit.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++-- > kernel/nsproxy.c | 4 +++ > 3 files changed, 108 insertions(+), 2 deletions(-) ... > diff --git a/kernel/audit.c b/kernel/audit.c > index 7cdb76b38966..e0c27bc39925 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -373,6 +381,75 @@ static struct sock *audit_get_sk(const struct net *net) > return aunet->sk; > } > > +void audit_netns_contid_add(struct net *net, u64 contid) > +{ > + struct audit_net *aunet; > + struct list_head *contid_list; > + struct audit_contid *cont; > + > + if (!net) > + return; > + if (!audit_contid_valid(contid)) > + return; > + aunet = net_generic(net, audit_net_id); > + if (!aunet) > + return; > + contid_list = &aunet->contid_list; > + spin_lock(&aunet->contid_list_lock); > + list_for_each_entry_rcu(cont, contid_list, list) > + if (cont->id == contid) { > + refcount_inc(&cont->refcount); > + goto out; > + } > + cont = kmalloc(sizeof(struct audit_contid), GFP_ATOMIC); kmalloc(sizeof(*cont), GFP_ATOMIC) > + if (cont) { > + INIT_LIST_HEAD(&cont->list); > + cont->id = contid; > + refcount_set(&cont->refcount, 1); > + list_add_rcu(&cont->list, contid_list); > + } > +out: > + spin_unlock(&aunet->contid_list_lock); > +}
next prev parent reply other threads:[~2019-10-11 0:39 UTC|newest] Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-09-19 1:22 [PATCH ghak90 V7 00/21] audit: implement container identifier Richard Guy Briggs 2019-09-19 1:22 ` Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 01/21] audit: collect audit task parameters Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 02/21] audit: add container id Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 03/21] audit: read container ID of a process Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 04/21] audit: convert to contid list to check for orch/engine ownership Richard Guy Briggs 2019-09-26 14:46 ` Neil Horman 2019-10-25 20:00 ` Richard Guy Briggs 2019-10-25 20:00 ` Richard Guy Briggs 2019-10-28 12:20 ` Neil Horman 2019-10-11 0:38 ` Paul Moore 2019-10-25 21:00 ` Richard Guy Briggs 2019-11-08 18:26 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 05/21] audit: log drop of contid on exit of last task Richard Guy Briggs 2019-10-11 0:38 ` Paul Moore 2019-10-11 0:38 ` Paul Moore 2019-10-25 19:43 ` Richard Guy Briggs 2019-10-25 19:43 ` Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 06/21] audit: contid limit of 32k imposed to avoid DoS Richard Guy Briggs 2019-09-27 12:51 ` Neil Horman 2019-10-11 0:38 ` Paul Moore 2019-10-11 0:38 ` Paul Moore 2019-10-24 21:23 ` Richard Guy Briggs 2019-10-24 21:23 ` Richard Guy Briggs 2019-11-08 17:49 ` Paul Moore 2019-12-17 18:45 ` Richard Guy Briggs 2019-12-17 19:25 ` Steve Grubb 2019-12-17 19:56 ` Richard Guy Briggs 2019-12-17 19:56 ` Richard Guy Briggs 2019-10-25 20:15 ` Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 07/21] audit: log container info of syscalls Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 08/21] audit: add contid support for signalling the audit daemon Richard Guy Briggs 2019-10-11 0:39 ` Paul Moore 2019-10-11 0:39 ` Paul Moore 2019-10-25 19:20 ` Richard Guy Briggs 2019-11-08 17:41 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 09/21] audit: add support for non-syscall auxiliary records Richard Guy Briggs 2019-09-19 1:22 ` Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 10/21] audit: add containerid support for user records Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 11/21] audit: add containerid filtering Richard Guy Briggs 2019-09-19 1:22 ` Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 12/21] audit: add support for containerid to network namespaces Richard Guy Briggs 2019-09-19 1:22 ` Richard Guy Briggs 2019-10-11 0:39 ` Paul Moore [this message] 2019-10-11 0:39 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 13/21] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs 2019-09-19 1:22 ` Richard Guy Briggs 2019-10-11 0:39 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 14/21] audit: contid check descendancy and nesting Richard Guy Briggs 2019-10-11 0:40 ` Paul Moore 2019-10-11 0:40 ` Paul Moore 2019-10-24 22:08 ` Richard Guy Briggs 2019-10-24 22:08 ` Richard Guy Briggs 2019-10-30 20:32 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 15/21] sched: pull task_is_descendant into kernel/sched/core.c Richard Guy Briggs 2019-09-19 1:22 ` Richard Guy Briggs 2019-10-11 0:40 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 16/21] audit: add support for contid set/get by netlink Richard Guy Briggs 2019-10-11 0:40 ` Paul Moore 2019-10-11 0:40 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 17/21] audit: add support for loginuid/sessionid " Richard Guy Briggs 2019-09-19 1:22 ` Richard Guy Briggs 2019-10-11 0:40 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 18/21] audit: track container nesting Richard Guy Briggs 2019-10-11 0:40 ` Paul Moore 2019-10-11 0:40 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 19/21] audit: check cont depth Richard Guy Briggs 2019-09-19 1:22 ` [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns Richard Guy Briggs 2019-10-19 1:39 ` Richard Guy Briggs 2019-10-19 1:39 ` Richard Guy Briggs 2019-10-21 19:53 ` Paul Moore 2019-10-21 21:38 ` Richard Guy Briggs 2019-10-21 21:38 ` Richard Guy Briggs 2019-10-21 21:43 ` Paul Moore 2019-10-21 23:57 ` Richard Guy Briggs 2019-10-21 23:57 ` Richard Guy Briggs 2019-10-22 0:31 ` Paul Moore 2019-10-22 12:13 ` Neil Horman 2019-10-22 14:04 ` Paul Moore 2019-10-22 20:06 ` Richard Guy Briggs 2019-10-22 20:06 ` Richard Guy Briggs 2019-10-22 14:27 ` Richard Guy Briggs 2019-10-22 14:27 ` Richard Guy Briggs 2019-10-22 14:34 ` Paul Moore 2019-10-24 21:00 ` Richard Guy Briggs 2019-10-30 20:27 ` Paul Moore 2019-10-30 22:03 ` Richard Guy Briggs 2019-10-30 22:03 ` Richard Guy Briggs 2019-10-31 13:59 ` Paul Moore 2019-10-31 14:50 ` Steve Grubb 2019-10-31 23:37 ` Paul Moore 2019-11-01 1:02 ` Duncan Roe 2019-11-01 15:09 ` Richard Guy Briggs 2019-11-01 15:09 ` Richard Guy Briggs 2019-11-01 15:13 ` Steve Grubb 2019-11-01 15:21 ` Richard Guy Briggs 2019-11-01 16:22 ` Paul Moore 2019-09-19 1:22 ` [PATCH ghak90 V7 21/21] audit: add proc interface for capcontid Richard Guy Briggs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAHC9VhRgOTfZzzv+NxxH3D3FN-2A=cd2h1+oDc2cabLhzi4gfQ@mail.gmail.com' \ --to=paul@paul-moore.com \ --cc=containers@lists.linux-foundation.org \ --cc=dhowells@redhat.com \ --cc=dwalsh@redhat.com \ --cc=ebiederm@xmission.com \ --cc=eparis@parisplace.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-audit@redhat.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mpatel@redhat.com \ --cc=netdev@vger.kernel.org \ --cc=netfilter-devel@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ --cc=omosnace@redhat.com \ --cc=rgb@redhat.com \ --cc=serge@hallyn.com \ --cc=sgrubb@redhat.com \ --cc=simo@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.