[userspace PATCH v2 0/2] Add support for loginuid_set

Paul Moore pmoore at redhat.com
Mon Oct 17 21:19:59 UTC 2016 

On Mon, Oct 17, 2016 at 11:40 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2016-10-11 18:15, Paul Moore wrote:
>> Looking back through the git logs, it looks like it originally came
>> out of the user namespace work by Eric Biederman.
>
> That's exactly where it came from.  Eric submitted the patch 780a7654 to
> fix the regression caused by e1760bd (userns: Convert the audit loginuid
> to be a kuid) and its set of 9 patches that were part of a 41-patch set.
> I notice Paul was Cc:-ed on that set...

I don't have the time to dig through my mail to see what all was
included in that patchset, but based on the git log that patch was
from April 2013 and I didn't become responsible for the audit code
until October 2014.  I also don't see my Acked-by/Reviewed-by tag on
that commit so it is safe to say I was busy with other things at the
time.  There are plenty of things you can blame me for, this ain't one
of 'em.

> I had to work around the work
> around when Steve reported the "f24=..." values.
>
> I can accept that Steve doesn't want to add more ways of doing the same
> thing, so I don't have an easy answer in terms of AUDIT_LOGINUID_SET
> being exposed in the UAPI.
>
> Since sessionid is a new field for filter specification (but not
> reporting and searching), I blocked sessionid==-1 in the api for setting
> filters.  This unfortunately makes it a different way to specify it than
> loginuid when it is not set.

We are not going to change the loginuid related mechanisms at this
point; they aren't causing any breakage, and I don't want to break the
existing kernel/user API without a good reason.

We haven't merged any of the session ID code into the kernel so
changes are still possible.  The logic for supporting loginuid_set
(UID namespace issues) don't really apply to session IDs so I think we
can drop the sessionid_set part of the API and just use the -1
sentinel.  If you are all still looking to blame somebody, you can all
blame me for suggesting session ID to Richard.

Richard, if we use -1 as a magic number for the session ID, we should
make sure we roll the session ID value assigned to new sessions before
we hit -1 in audit_set_loginuid(...).

-- 
paul moore
security @ redhat

More information about the Linux-audit mailing list