Re: [RFC PATCH ghak90 (was ghak32) V3 07/10] audit: add support for containerid to network namespaces

On 2018-07-20 18:14, Paul Moore wrote: > On Wed, Jun 6, 2018 at 1:03 PM Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > > Audit events could happen in a network namespace outside of a task > > context due to packets received from the net that trigger an auditing > > rule prior to being associated with a running task. The network > > namespace could in use by multiple containers by association to the > > tasks in that network namespace. We still want a way to attribute > > these events to any potential containers. Keep a list per network > > namespace to track these audit container identifiiers. > > > > Add/increment the audit container identifier on: > > - initial setting of the audit container identifier via /proc > > - clone/fork call that inherits an audit container identifier > > - unshare call that inherits an audit container identifier > > - setns call that inherits an audit container identifier > > Delete/decrement the audit container identifier on: > > - an inherited audit container identifier dropped when child set > > - process exit > > - unshare call that drops a net namespace > > - setns call that drops a net namespace > > > > See: https://github.com/linux-audit/audit-kernel/issues/92 > > See: https://github.com/linux-audit/audit-testsuite/issues/64 > > See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID > > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; > > --- > > include/linux/audit.h | 23 ++++++++++++++++ > > kernel/audit.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++ > > kernel/auditsc.c | 5 ++++ > > kernel/nsproxy.c | 4 +++ > > 4 files changed, 104 insertions(+)

> > + } > > + if (!found) > > + return; > > + list_del(&cont->list); > > + if (refcount_dec_and_test(&cont->refcount)) > > + kfree(cont); > > Don't you want to dec_and_test first and only remove it from the list > if there are no other references? I don't think so. Let me try to describe it in prose to see if I understood this properly and see if this makes more sense: I want to remove this audit_contid list member from this net's audit_contid list and decrement unconditionally this member's refcount so it knows there is one less thing pointing at it and when there is no longer anything pointing at it, free it.