From: Eric Paris <eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Serge Hallyn
<serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org
Subject: Re: [PATCH RFC 00/48] Add namespace support for audit
Date: Tue, 11 Jun 2013 09:49:57 -0400 [thread overview]
Message-ID: <1370958597.29545.11.camel@localhost> (raw)
In-Reply-To: <51B6BCBE.7060608-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
On Tue, 2013-06-11 at 13:59 +0800, Gao feng wrote:
> On 06/11/2013 05:24 AM, Serge E. Hallyn wrote:
> > Quoting Gao feng (gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org):
> >> On 06/07/2013 06:47 AM, Serge Hallyn wrote:
> >>> Quoting Serge Hallyn (serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org):
> >>>> Quoting Gao feng (gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org):
> >>>>> On 05/07/2013 10:20 AM, Gao feng wrote:
> In my option, the audit rules(inode, tree_list, filter) , some of audit
> controller related resources(enabled,pid,portid...) and skb queue, audit
> netlink sockets,kauditd thread should be per-userns. The audit user message
> which generated by the user in container should be per-userns too.
>
> Since netns is not implemented as a hierarchy, and the network related
> resources are not global. so network related audit message should be per-userns too.
>
> The security related audit message should be send to init user namespace
> as we discussed before. Maybe tty related audit message should be send
> to init user namespace too, I have no idea now.
>
> The next step, I will post a new patchset which only make the audit user
> message and the basic audit resource per userns. I think this patchset
> will easy to be reviewed and accepted, And will not influence the host.
> This patchset contains the below patches:
I think this would be easier for us do from a certification and
doumentation PoV if we had an audit namespace, not tied to the user
namespace. creating a new audit namespace should require
CAP_AUDIT_CONTROL in the user namespace which created the current audit
namespace.
Does that make sense? I don't mind messages staying completely inside
the current namespace, but that means we can't give unpriv users (even
if they have priv in their user namespace) a new audit namespace...
WARNING: multiple messages have this Message-ID (diff)
From: Eric Paris <eparis@redhat.com>
To: Gao feng <gaofeng@cn.fujitsu.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Serge Hallyn <serge.hallyn@ubuntu.com>,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, linux-audit@redhat.com,
ebiederm@xmission.com, davem@davemloft.net
Subject: Re: [PATCH RFC 00/48] Add namespace support for audit
Date: Tue, 11 Jun 2013 09:49:57 -0400 [thread overview]
Message-ID: <1370958597.29545.11.camel@localhost> (raw)
In-Reply-To: <51B6BCBE.7060608@cn.fujitsu.com>
On Tue, 2013-06-11 at 13:59 +0800, Gao feng wrote:
> On 06/11/2013 05:24 AM, Serge E. Hallyn wrote:
> > Quoting Gao feng (gaofeng@cn.fujitsu.com):
> >> On 06/07/2013 06:47 AM, Serge Hallyn wrote:
> >>> Quoting Serge Hallyn (serge.hallyn@ubuntu.com):
> >>>> Quoting Gao feng (gaofeng@cn.fujitsu.com):
> >>>>> On 05/07/2013 10:20 AM, Gao feng wrote:
> In my option, the audit rules(inode, tree_list, filter) , some of audit
> controller related resources(enabled,pid,portid...) and skb queue, audit
> netlink sockets,kauditd thread should be per-userns. The audit user message
> which generated by the user in container should be per-userns too.
>
> Since netns is not implemented as a hierarchy, and the network related
> resources are not global. so network related audit message should be per-userns too.
>
> The security related audit message should be send to init user namespace
> as we discussed before. Maybe tty related audit message should be send
> to init user namespace too, I have no idea now.
>
> The next step, I will post a new patchset which only make the audit user
> message and the basic audit resource per userns. I think this patchset
> will easy to be reviewed and accepted, And will not influence the host.
> This patchset contains the below patches:
I think this would be easier for us do from a certification and
doumentation PoV if we had an audit namespace, not tied to the user
namespace. creating a new audit namespace should require
CAP_AUDIT_CONTROL in the user namespace which created the current audit
namespace.
Does that make sense? I don't mind messages staying completely inside
the current namespace, but that means we can't give unpriv users (even
if they have priv in their user namespace) a new audit namespace...
next prev parent reply other threads:[~2013-06-11 13:49 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-07 2:20 [PATCH RFC 00/48] Add namespace support for audit Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 15/48] Audit: allow to send netlink message to auditd in uninit user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 27/48] Audit: make tree_list per " Gao feng
2013-05-07 2:20 ` [PATCH RFC 31/48] Audit: pass proper user namespace to audit_filter_syscall Gao feng
2013-05-07 2:20 ` [PATCH RFC 33/48] Audit: Log filter related audit message to proper user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 38/48] Audit: tty: translate audit_log_start to audit_log_start_ns Gao feng
2013-05-07 2:21 ` [PATCH RFC 39/48] Audit: netlabel: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 41/48] Audit: lsm: " Gao feng
[not found] ` <1367893269-9308-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-07 2:20 ` [PATCH RFC 01/48] Audit: make audit kernel side netlink sock per userns Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 02/48] netlink: Add compare function for netlink_table Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 03/48] Audit: implement audit self-defined compare function Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 04/48] Audit: make audit_skb_queue per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 05/48] Audit: make audit_skb_hold_queue " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 06/48] Audit: make kauditd_task " Gao feng
2013-05-07 2:20 ` Gao feng
[not found] ` <1367893269-9308-7-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-21 9:15 ` Gao feng
2013-05-21 9:15 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 07/48] Audit: make audit_pid " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 08/48] Audit: make audit_nlk_portid per user namesapce Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 09/48] Audit: make audit_enabled per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
[not found] ` <1367893269-9308-10-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-07 15:44 ` Aristeu Rozanski
2013-05-07 15:44 ` Aristeu Rozanski
2013-05-08 5:22 ` Gao feng
2013-05-08 5:22 ` Gao feng
[not found] ` <20130507154434.GA15275-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-05-08 5:22 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 10/48] Audit: change type of audit_ever_enabled to bool Gao feng
2013-05-07 2:20 ` Gao feng
[not found] ` <1367893269-9308-11-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-08 2:06 ` Matt Helsley
2013-05-08 2:06 ` Matt Helsley
[not found] ` <20130508020626.GD24627-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2013-05-08 5:24 ` Gao feng
2013-05-08 5:24 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 11/48] Audit: make audit_ever_enabled per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 12/48] Audit: make audit_initialized " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 13/48] Audit: only allow init user namespace to change audit_rate_limit Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 14/48] Audit: only allow init user namespace to change audit_failure Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 15/48] Audit: allow to send netlink message to auditd in uninit user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 16/48] Audit: user proper user namespace in audit_log_config_change Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 17/48] Audit: make kauditd_wait per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 18/48] Audit: make audit_backlog_wait " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 19/48] Audit: remove duplicate comments Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 20/48] Audit: introduce new audit logging interface for user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 21/48] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 22/48] Audit: Log audit config change in uninit user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 23/48] Audit: netfilter: Log xt table replace behavior in proper " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 24/48] Audit: xt_AUDIT: Log audit message " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 25/48] Audit: send reply message to the auditd " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 26/48] Audit: make audit_inode_hash per " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 27/48] Audit: make tree_list " Gao feng
2013-05-07 2:20 ` [PATCH RFC 28/48] Audit: make audit filter list " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 29/48] Audit: make audit_krule belongs to " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 30/48] Audit: reply audit filter list request to proper " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 31/48] Audit: pass proper user namespace to audit_filter_syscall Gao feng
2013-05-07 2:20 ` [PATCH RFC 32/48] Audit: pass proper user namespace to audit_filter_inode_name Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 33/48] Audit: Log filter related audit message to proper user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 34/48] Log audit tree related message in " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 35/48] Audit: Log task related audit message to " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 36/48] Audit: Log watch " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 37/48] Audit: translate audit_log_start to audit_log_start_ns Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 38/48] Audit: tty: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 39/48] Audit: netlabel: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 40/48] Audit: ima: " Gao feng
2013-05-07 2:21 ` Gao feng
2013-05-07 2:21 ` [PATCH RFC 41/48] Audit: lsm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 42/48] Audit: selinux: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 43/48] Audit: xfrm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 44/48] Audit: rename audit_log_start_ns to audit_log_start Gao feng
2013-05-07 2:21 ` [PATCH RFC 45/48] Audit: user audit_enabled_ns to replace audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 46/48] Audit: rename audit_enabled_ns to audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 47/48] Audit: make audit_log user namespace awared Gao feng
2013-05-07 2:21 ` [PATCH RFC 48/48] Audit: allow root user of un-init user namespace to set audit Gao feng
2013-05-08 16:55 ` [PATCH RFC 00/48] Add namespace support for audit Eric Paris
2013-05-08 16:55 ` Eric Paris
2013-05-09 1:13 ` Gao feng
2013-05-09 1:13 ` Gao feng
2013-05-21 9:15 ` Gao feng
2013-05-21 9:15 ` Gao feng
[not found] ` <519B3B4E.1070405-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-06 21:52 ` Serge Hallyn
2013-06-06 21:52 ` Serge Hallyn
2013-06-06 22:47 ` Serge Hallyn
2013-06-06 22:47 ` Serge Hallyn
2013-06-10 1:54 ` Gao feng
2013-06-10 1:54 ` Gao feng
[not found] ` <51B531CC.2020604-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-10 21:24 ` Serge E. Hallyn
2013-06-10 21:24 ` Serge E. Hallyn
[not found] ` <20130610212437.GA11940-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-06-11 5:59 ` Gao feng
2013-06-11 5:59 ` Gao feng
[not found] ` <51B6BCBE.7060608-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-11 13:49 ` Eric Paris [this message]
2013-06-11 13:49 ` Eric Paris
2013-06-11 14:15 ` Serge E. Hallyn
2013-06-11 14:15 ` Serge E. Hallyn
2013-06-13 6:02 ` Gao feng
2013-05-07 2:21 ` [PATCH RFC 42/48] Audit: selinux: translate audit_log_start to audit_log_start_ns Gao feng
2013-05-07 2:21 ` [PATCH RFC 43/48] Audit: xfrm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 44/48] Audit: rename audit_log_start_ns to audit_log_start Gao feng
2013-05-07 2:21 ` [PATCH RFC 45/48] Audit: user audit_enabled_ns to replace audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 46/48] Audit: rename audit_enabled_ns to audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 47/48] Audit: make audit_log user namespace awared Gao feng
2013-05-07 2:21 ` [PATCH RFC 48/48] Audit: allow root user of un-init user namespace to set audit Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1370958597.29545.11.camel@localhost \
--to=eparis-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.