From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>,
hch@infradead.org
Subject: Re: xt_AUDIT additions
Date: Fri, 01 Jul 2011 12:31:52 +0100 [thread overview]
Message-ID: <4E0DB027.3000309@googlemail.com> (raw)
In-Reply-To: <alpine.LNX.2.01.1107011005060.7813@frira.zrqbmnf.qr>
> xt_owner did the same - it scanned the process table. According to
> Christoph Hellwig, this was declared as some gross abuse, and, IIRC, the
> reason was something like the tasklist lock was held "quite long" (which
> makes sense).
Yep, it is the reason I was very reluctant to use this approach and seek
to find another, more "efficient" way.
> However, xt_owner did not held the tasklist [write] lock,
> just entered a RCU read section. hch: Was this RCU section also too
> long?
>
> xt_owner had the bonus that it only had to check whether the socket was
> owned by a particular user/group/pid/sid, which means it can stop
> looping the tasklist as soon as it found a match.
>
I'll have a look at the xt_owner code later to see if there is something
I could use/learn.
> But with xt_AUDIT, you would have to traverse the entire list, because
> you would want to find all PIDs - since a socket may be shared between
> multiple threads/processes - which in itself may generate a huge list
> (=another problem) in the audit records.
>
Isn't there a more efficient solution to this? The thought of scanning
the task list to find ids for a single packet makes my head hurt!
> Also, the PID owner may not be the socket owner for the same reason.
>
That's where auid comes in - it determines, unequivocally, the "root"
process owner.
For example: if I log in as root and start a process, which then uses
another id (say process squid using user id _squid), which spawns
further processes under the same id, the "normal" uid (i.e. the
information of the socket "owner") is probably going to show me uid =
_squid, but the auid will show "root" as this is the "root" session
which started all sub-processes and I suspect was one of the reasons
auid was introduced in the first place - to remove this ambiguity.
next prev parent reply other threads:[~2011-07-01 11:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-30 22:42 xt_AUDIT additions Mr Dash Four
2011-07-01 8:12 ` Jan Engelhardt
2011-07-01 11:31 ` Mr Dash Four [this message]
2011-07-02 2:25 ` Mr Dash Four
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E0DB027.3000309@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=hch@infradead.org \
--cc=jengelh@medozas.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).