Re: [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces
From: Richard Guy Briggs <hidden>
Date: 2019-05-30 14:17:12
Also in:
linux-fsdevel, lkml, netdev, netfilter-devel
On 2019-05-29 18:17, Paul Moore wrote:
On Mon, Apr 8, 2019 at 11:41 PM Richard Guy Briggs [off-list ref] wrote:quoted
Audit events could happen in a network namespace outside of a task context due to packets received from the net that trigger an auditing rule prior to being associated with a running task. The network namespace could be in use by multiple containers by association to the tasks in that network namespace. We still want a way to attribute these events to any potential containers. Keep a list per network namespace to track these audit container identifiiers. Add/increment the audit container identifier on: - initial setting of the audit container identifier via /proc - clone/fork call that inherits an audit container identifier - unshare call that inherits an audit container identifier - setns call that inherits an audit container identifier Delete/decrement the audit container identifier on: - an inherited audit container identifier dropped when child set - process exit - unshare call that drops a net namespace - setns call that drops a net namespace Please see the github audit kernel issue for contid net support: https://github.com/linux-audit/audit-kernel/issues/92 Please see the github audit testsuiite issue for the test case: https://github.com/linux-audit/audit-testsuite/issues/64 Please see the github audit wiki for the feature overview: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Signed-off-by: Richard Guy Briggs <redacted> Acked-by: Neil Horman <nhorman@tuxdriver.com> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> --- include/linux/audit.h | 19 +++++++++++ kernel/audit.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++++-- kernel/nsproxy.c | 4 +++ 3 files changed, 108 insertions(+), 3 deletions(-)...quoted
diff --git a/kernel/audit.c b/kernel/audit.c index 6c742da66b32..996213591617 100644 --- a/kernel/audit.c +++ b/kernel/audit.c@@ -376,6 +384,75 @@ static struct sock *audit_get_sk(const struct net *net) return aunet->sk; } +void audit_netns_contid_add(struct net *net, u64 contid) +{ + struct audit_net *aunet; + struct list_head *contid_list; + struct audit_contid *cont; + + if (!net) + return; + if (!audit_contid_valid(contid)) + return; + aunet = net_generic(net, audit_net_id); + if (!aunet) + return; + contid_list = &aunet->contid_list; + spin_lock(&aunet->contid_list_lock); + list_for_each_entry_rcu(cont, contid_list, list) + if (cont->id == contid) { + refcount_inc(&cont->refcount); + goto out; + } + cont = kmalloc(sizeof(struct audit_contid), GFP_ATOMIC); + if (cont) { + INIT_LIST_HEAD(&cont->list);I thought you were going to get rid of this INIT_LIST_HEAD() call?
I was intending to, and then Neil weighed in with this opinion: https://www.redhat.com/archives/linux-audit/2019-April/msg00014.html If you feel that isn't important, please remove it.
quoted
+ cont->id = contid; + refcount_set(&cont->refcount, 1); + list_add_rcu(&cont->list, contid_list); + } +out: + spin_unlock(&aunet->contid_list_lock); +}-- paul moore www.paul-moore.com
- RGB -- Richard Guy Briggs [off-list ref] Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635