From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
To: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org
Subject: Re: [PATCH RFC 00/48] Add namespace support for audit
Date: Thu, 6 Jun 2013 16:52:55 -0500 [thread overview]
Message-ID: <20130606215255.GA28978@tp> (raw)
In-Reply-To: <519B3B4E.1070405-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
Quoting Gao feng (gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org):
> On 05/07/2013 10:20 AM, Gao feng wrote:
> > This patchset try to add namespace support for audit.
> >
> > I choose to assign audit to the user namespace.
> > Right now,there are six kinds of namespaces, such as
> > net, mount, ipc, pid, uts and user. the first five
> > namespaces have special usage. the audit isn't suitable to
> > belong to these five namespaces, so the user namespace
> > may be the best choice.
> >
> > Through I decide to make audit related resources per user
> > namespace, but audit uses netlink to communicate between kernel
> > space and user space, and the netlink is a private resource
> > of per net namespace. So we need the capability to allow the
> > netlink sockets to communicate with each other in the same user
> > namespace even they are in different net namespace. [PATCH 2/48]
> > does this job, it adds a new function "compare" for per netlink
> > table to compare two sockets. it means the netlink protocols can
> > has its own compare fuction, For other protocols, two netlink
> > sockets are different if they belong to the different net namespace.
> > For audit protocol, two sockets can be the same even they in different
> > net namespace,we use user namespace not net namespace to make the
> > decision.
> >
> > There is one point that some people may dislike,in [PATCH 1/48],
> > the kernel side audit netlink socket is created only when we create
> > the first netns for the userns, and this userns will hold the netns
> > until we destroy this userns.
> >
> > The other patches just make the audit related resources per
> > user namespace.
> >
> > This patchset is sent as an RFC,any comments are welcome.
Hi,
thanks for sending this. I think you need to ping the selinux folks
for comment though. It appears to me that, after this patchset, the
kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
the selinux-generated audit messages do not always go to init_user_ns.
Additionally, the only type of namespacing selinux wants is where it
is enforced by policy compiler and installer using typenames - i.e.
'container1.user_t' vs 'user_t'. Selinux does not want user namespaces
to affect selinux enforcement at all. (at least last I knew, several
years ago at a mini-summit, I believe this was from Stephen Smalley).
I think it's good to have userspace-generated audit messages (i.e.
auditctl -m 'hi there') sent to the same user namespace. But the
selinux messages, near as I can tell, need to all go to init_user_ns.
thanks,
-serge
WARNING: multiple messages have this Message-ID (diff)
From: Serge Hallyn <serge.hallyn@ubuntu.com>
To: Gao feng <gaofeng@cn.fujitsu.com>
Cc: containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, eparis@redhat.com,
linux-audit@redhat.com, ebiederm@xmission.com,
davem@davemloft.net
Subject: Re: [PATCH RFC 00/48] Add namespace support for audit
Date: Thu, 6 Jun 2013 16:52:55 -0500 [thread overview]
Message-ID: <20130606215255.GA28978@tp> (raw)
In-Reply-To: <519B3B4E.1070405@cn.fujitsu.com>
Quoting Gao feng (gaofeng@cn.fujitsu.com):
> On 05/07/2013 10:20 AM, Gao feng wrote:
> > This patchset try to add namespace support for audit.
> >
> > I choose to assign audit to the user namespace.
> > Right now,there are six kinds of namespaces, such as
> > net, mount, ipc, pid, uts and user. the first five
> > namespaces have special usage. the audit isn't suitable to
> > belong to these five namespaces, so the user namespace
> > may be the best choice.
> >
> > Through I decide to make audit related resources per user
> > namespace, but audit uses netlink to communicate between kernel
> > space and user space, and the netlink is a private resource
> > of per net namespace. So we need the capability to allow the
> > netlink sockets to communicate with each other in the same user
> > namespace even they are in different net namespace. [PATCH 2/48]
> > does this job, it adds a new function "compare" for per netlink
> > table to compare two sockets. it means the netlink protocols can
> > has its own compare fuction, For other protocols, two netlink
> > sockets are different if they belong to the different net namespace.
> > For audit protocol, two sockets can be the same even they in different
> > net namespace,we use user namespace not net namespace to make the
> > decision.
> >
> > There is one point that some people may dislike,in [PATCH 1/48],
> > the kernel side audit netlink socket is created only when we create
> > the first netns for the userns, and this userns will hold the netns
> > until we destroy this userns.
> >
> > The other patches just make the audit related resources per
> > user namespace.
> >
> > This patchset is sent as an RFC,any comments are welcome.
Hi,
thanks for sending this. I think you need to ping the selinux folks
for comment though. It appears to me that, after this patchset, the
kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
the selinux-generated audit messages do not always go to init_user_ns.
Additionally, the only type of namespacing selinux wants is where it
is enforced by policy compiler and installer using typenames - i.e.
'container1.user_t' vs 'user_t'. Selinux does not want user namespaces
to affect selinux enforcement at all. (at least last I knew, several
years ago at a mini-summit, I believe this was from Stephen Smalley).
I think it's good to have userspace-generated audit messages (i.e.
auditctl -m 'hi there') sent to the same user namespace. But the
selinux messages, near as I can tell, need to all go to init_user_ns.
thanks,
-serge
next prev parent reply other threads:[~2013-06-06 21:52 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-07 2:20 [PATCH RFC 00/48] Add namespace support for audit Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 15/48] Audit: allow to send netlink message to auditd in uninit user namespace Gao feng
[not found] ` <1367893269-9308-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-07 2:20 ` [PATCH RFC 01/48] Audit: make audit kernel side netlink sock per userns Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 02/48] netlink: Add compare function for netlink_table Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 03/48] Audit: implement audit self-defined compare function Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 04/48] Audit: make audit_skb_queue per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 05/48] Audit: make audit_skb_hold_queue " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 06/48] Audit: make kauditd_task " Gao feng
2013-05-07 2:20 ` Gao feng
[not found] ` <1367893269-9308-7-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-21 9:15 ` Gao feng
2013-05-21 9:15 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 07/48] Audit: make audit_pid " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 08/48] Audit: make audit_nlk_portid per user namesapce Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 09/48] Audit: make audit_enabled per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
[not found] ` <1367893269-9308-10-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-07 15:44 ` Aristeu Rozanski
2013-05-07 15:44 ` Aristeu Rozanski
[not found] ` <20130507154434.GA15275-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-05-08 5:22 ` Gao feng
2013-05-08 5:22 ` Gao feng
2013-05-08 5:22 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 10/48] Audit: change type of audit_ever_enabled to bool Gao feng
2013-05-07 2:20 ` Gao feng
[not found] ` <1367893269-9308-11-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-08 2:06 ` Matt Helsley
2013-05-08 2:06 ` Matt Helsley
[not found] ` <20130508020626.GD24627-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2013-05-08 5:24 ` Gao feng
2013-05-08 5:24 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 11/48] Audit: make audit_ever_enabled per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 12/48] Audit: make audit_initialized " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 13/48] Audit: only allow init user namespace to change audit_rate_limit Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 14/48] Audit: only allow init user namespace to change audit_failure Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 15/48] Audit: allow to send netlink message to auditd in uninit user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 16/48] Audit: user proper user namespace in audit_log_config_change Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 17/48] Audit: make kauditd_wait per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 18/48] Audit: make audit_backlog_wait " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 19/48] Audit: remove duplicate comments Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 20/48] Audit: introduce new audit logging interface for user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 21/48] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 22/48] Audit: Log audit config change in uninit user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 23/48] Audit: netfilter: Log xt table replace behavior in proper " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 24/48] Audit: xt_AUDIT: Log audit message " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 25/48] Audit: send reply message to the auditd " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 26/48] Audit: make audit_inode_hash per " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 27/48] Audit: make tree_list " Gao feng
2013-05-07 2:20 ` [PATCH RFC 28/48] Audit: make audit filter list " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 29/48] Audit: make audit_krule belongs to " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 30/48] Audit: reply audit filter list request to proper " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 31/48] Audit: pass proper user namespace to audit_filter_syscall Gao feng
2013-05-07 2:20 ` [PATCH RFC 32/48] Audit: pass proper user namespace to audit_filter_inode_name Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 33/48] Audit: Log filter related audit message to proper user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 34/48] Log audit tree related message in " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 35/48] Audit: Log task related audit message to " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 36/48] Audit: Log watch " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 37/48] Audit: translate audit_log_start to audit_log_start_ns Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 38/48] Audit: tty: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 39/48] Audit: netlabel: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 40/48] Audit: ima: " Gao feng
2013-05-07 2:21 ` Gao feng
2013-05-07 2:21 ` [PATCH RFC 41/48] Audit: lsm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 42/48] Audit: selinux: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 43/48] Audit: xfrm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 44/48] Audit: rename audit_log_start_ns to audit_log_start Gao feng
2013-05-07 2:21 ` [PATCH RFC 45/48] Audit: user audit_enabled_ns to replace audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 46/48] Audit: rename audit_enabled_ns to audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 47/48] Audit: make audit_log user namespace awared Gao feng
2013-05-07 2:21 ` [PATCH RFC 48/48] Audit: allow root user of un-init user namespace to set audit Gao feng
2013-05-08 16:55 ` [PATCH RFC 00/48] Add namespace support for audit Eric Paris
2013-05-08 16:55 ` Eric Paris
2013-05-09 1:13 ` Gao feng
2013-05-09 1:13 ` Gao feng
2013-05-21 9:15 ` Gao feng
2013-05-21 9:15 ` Gao feng
[not found] ` <519B3B4E.1070405-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-06 21:52 ` Serge Hallyn [this message]
2013-06-06 21:52 ` Serge Hallyn
2013-06-06 22:47 ` Serge Hallyn
2013-06-06 22:47 ` Serge Hallyn
2013-06-10 1:54 ` Gao feng
2013-06-10 1:54 ` Gao feng
[not found] ` <51B531CC.2020604-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-10 21:24 ` Serge E. Hallyn
2013-06-10 21:24 ` Serge E. Hallyn
[not found] ` <20130610212437.GA11940-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-06-11 5:59 ` Gao feng
2013-06-11 5:59 ` Gao feng
[not found] ` <51B6BCBE.7060608-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-11 13:49 ` Eric Paris
2013-06-11 13:49 ` Eric Paris
2013-06-11 14:15 ` Serge E. Hallyn
2013-06-11 14:15 ` Serge E. Hallyn
2013-06-13 6:02 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 27/48] Audit: make tree_list per user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 31/48] Audit: pass proper user namespace to audit_filter_syscall Gao feng
2013-05-07 2:20 ` [PATCH RFC 33/48] Audit: Log filter related audit message to proper user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 38/48] Audit: tty: translate audit_log_start to audit_log_start_ns Gao feng
2013-05-07 2:21 ` [PATCH RFC 39/48] Audit: netlabel: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 41/48] Audit: lsm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 42/48] Audit: selinux: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 43/48] Audit: xfrm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 44/48] Audit: rename audit_log_start_ns to audit_log_start Gao feng
2013-05-07 2:21 ` [PATCH RFC 45/48] Audit: user audit_enabled_ns to replace audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 46/48] Audit: rename audit_enabled_ns to audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 47/48] Audit: make audit_log user namespace awared Gao feng
2013-05-07 2:21 ` [PATCH RFC 48/48] Audit: allow root user of un-init user namespace to set audit Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130606215255.GA28978@tp \
--to=serge.hallyn-gewih/nmzzlqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.