From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17786C4332D for ; Thu, 19 Mar 2020 21:48:39 +0000 (UTC) Received: from us-smtp-delivery-74.mimecast.com (us-smtp-delivery-74.mimecast.com [216.205.24.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C6F9220772 for ; Thu, 19 Mar 2020 21:48:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="J8EET4Bg" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C6F9220772 Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1584654517; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=nFo7MCftxY+1rbeb9n6bqh1h+j3KFjHfTE23DckBCDs=; b=J8EET4BgrooFnYYAg58TdXuSyIDGRvOItZ4WGrgmkVMrIQfivBPNNUAMK4vtYSX22BusXz XN5U3ruOLNpmeUoGQyWQDQSb2r3wkMWFlbvpcNPpZHDbi4Fk9rYus0g0LiL4HlgXtM0GMB leMzcZ/vX1bjwTGG3VcEhHLwL8JXOp8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-327-ovW69qhIMhq3GNT50EQZiQ-1; Thu, 19 Mar 2020 17:48:34 -0400 X-MC-Unique: ovW69qhIMhq3GNT50EQZiQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E1D8F100550D; Thu, 19 Mar 2020 21:48:27 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0D850BBBC0; Thu, 19 Mar 2020 21:48:27 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2B7BB18089C8; Thu, 19 Mar 2020 21:48:24 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 02JLmKqO025021 for ; Thu, 19 Mar 2020 17:48:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id 264CDBBBD7; Thu, 19 Mar 2020 21:48:20 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.36.110.5]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0A40CBBBF3; Thu, 19 Mar 2020 21:48:03 +0000 (UTC) Date: Thu, 19 Mar 2020 17:47:59 -0400 From: Richard Guy Briggs To: Paul Moore Subject: Re: [PATCH ghak90 V8 07/16] audit: add contid support for signalling the audit daemon Message-ID: <20200319214759.qgxt2sfkmd6srdol@madcap2.tricolour.ca> References: <20200204231454.oxa7pyvuxbj466fj@madcap2.tricolour.ca> <3142237.YMNxv0uec1@x2> <20200312202733.7kli64zsnqc4mrd2@madcap2.tricolour.ca> <20200313192306.wxey3wn2h4htpccm@madcap2.tricolour.ca> <20200318214154.ycxy5dl4pxno6fvi@madcap2.tricolour.ca> MIME-Version: 1.0 In-Reply-To: User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: linux-audit@redhat.com Cc: nhorman@tuxdriver.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, LKML , dhowells@redhat.com, linux-audit@redhat.com, netfilter-devel@vger.kernel.org, ebiederm@xmission.com, simo@redhat.com, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, Eric Paris , mpatel@redhat.com, Serge Hallyn X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline On 2020-03-18 17:47, Paul Moore wrote: > On Wed, Mar 18, 2020 at 5:42 PM Richard Guy Briggs wrote: > > On 2020-03-18 17:01, Paul Moore wrote: > > > On Fri, Mar 13, 2020 at 3:23 PM Richard Guy Briggs wrote: > > > > On 2020-03-13 12:42, Paul Moore wrote: > > > > > > ... > > > > > > > > The thread has had a lot of starts/stops, so I may be repeating a > > > > > previous suggestion, but one idea would be to still emit a "death > > > > > record" when the final task in the audit container ID does die, but > > > > > block the particular audit container ID from reuse until it the > > > > > SIGNAL2 info has been reported. This gives us the timely ACID death > > > > > notification while still preventing confusion and ambiguity caused by > > > > > potentially reusing the ACID before the SIGNAL2 record has been sent; > > > > > there is a small nit about the ACID being present in the SIGNAL2 > > > > > *after* its death, but I think that can be easily explained and > > > > > understood by admins. > > > > > > > > Thinking quickly about possible technical solutions to this, maybe it > > > > makes sense to have two counters on a contobj so that we know when the > > > > last process in that container exits and can issue the death > > > > certificate, but we still block reuse of it until all further references > > > > to it have been resolved. This will likely also make it possible to > > > > report the full contid chain in SIGNAL2 records. This will eliminate > > > > some of the issues we are discussing with regards to passing a contobj > > > > vs a contid to the audit_log_contid function, but won't eliminate them > > > > all because there are still some contids that won't have an object > > > > associated with them to make it impossible to look them up in the > > > > contobj lists. > > > > > > I'm not sure you need a full second counter, I imagine a simple flag > > > would be okay. I think you just something to indicate that this ACID > > > object is marked as "dead" but it still being held for sanity reasons > > > and should not be reused. > > > > Ok, I see your point. This refcount can be changed to a flag easily > > enough without change to the api if we can be sure that more than one > > signal can't be delivered to the audit daemon *and* collected by sig2. > > I'll have a more careful look at the audit daemon code to see if I can > > determine this. > > Maybe I'm not understanding your concern, but this isn't really > different than any of the other things we track for the auditd signal > sender, right? If we are worried about multiple signals being sent > then it applies to everything, not just the audit container ID. Yes, you are right. In all other cases the information is simply overwritten. In the case of the audit container identifier any previous value is put before a new one is referenced, so only the last signal is kept. So, we only need a flag. Does a flag implemented with a rcu-protected refcount sound reasonable to you? > > Another question occurs to me is that what if the audit daemon is sent a > > signal and it cannot or will not collect the sig2 information from the > > kernel (SIGKILL?)? Does that audit container identifier remain dead > > until reboot, or do we institute some other form of reaping, possibly > > time-based? > > In order to preserve the integrity of the audit log that ACID value > would need to remain unavailable until the ACID which contains the > associated auditd is "dead" (no one can request the signal sender's > info if that container is dead). I don't understand why it would be associated with the contid of the audit daemon process rather than with the audit daemon process itself. How does the signal collection somehow get transferred or delegated to another member of that audit daemon's container? Thinking aloud here, the audit daemon's exit when it calls audit_free() needs to ..._put_sig and cancel that audit_sig_cid (which in the future will be allocated per auditd rather than the global it is now since there is only one audit daemon). > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit