[PATCH] audit: listen in all network namespaces

Richard Guy Briggs rgb at redhat.com
Fri Jul 19 21:15:17 UTC 2013 

On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote:
> Hi, Richard
> 
> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
> > Convert audit from only listening in init_net to use register_pernet_subsys()
> > to dynamically manage the netlink socket list.
> > 
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> 
> Right now audit still can't be used in uninit pid/user namespace,
> Consider this, when user in uninit pid/user namespace is allowed
> to setup/run audit subsystem, since the kernel thread always runs
> in init pid namespace, so we can't get right net namespace through
> get_net_ns_by_pid, The audit information will be sent to incorrect
> net namespace by kernel thread.
> 
> In my opinion, This patch is limited and nonextensile.
> 
> Maybe you should check the patchset "[Part1 PATCH 00/22] Add namespace support for audit"
> I sent in 06/19/2013, In my solution, audit kernel side netlink sockets belongs
> to user namespace, and the user space audit netlink sockets will find the audit
> kernel socket through current_net_ns()->user_ns->audit.sock.

I already looked at your 48-patch and 22-patch sets and the threads of
comments.  The concerns expressed in that thread haven't been fully
addressed yet by you.

> The "[PATCH 04/22] netlink: Add compare function for netlink_table" of this patchset
> has been merged in linux mainline. I think if you look at my patchset, you will find
> the [PATCH 03/22] and [PATCH 05/22] will achieve the same aim of your patch.

I don't have any specific issues with patch 04/22.

For patch 05/22, I would have just stopped with comparing the two net
namespace pointers.

As for patch 03/22...

The init user namespace doesn't have a one-to-one mapping to network
namespace, so this won't solve the problem I was trying to solve.

In the initial user namespace, I can have as many network namespaces as
I want.  I want kaudit to listen in all of them.  There is already a
conservative check to make sure that audit won't permit changes from
any non-initial user namespace (or pid space):
kernel/audit.c:583:audit_netlink_ok():
        if ((current_user_ns() != &init_user_ns) ||
            (task_active_pid_ns(current) != &init_pid_ns))
                return -EPERM;
This check needs to be revisited to allow some loosening of this policy,
but it was sound to start off too restrictive.
(https://bugzilla.redhat.com/show_bug.cgi?id=947530)

The certification issues surrounding non-initial user namespaces haven't
been adequately resolved yet, not having yet seen a followup patchset,
so we can combine these ideas once those issues have been addressed.

I agree we will need to be careful how the specific target socket and
portid are selected once we end up in other pid namespaces.  For now,
are there specific concerns with this patch or better ways to
future-proof the selection of kaudit sockets and portids?

> Thanks!

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list