From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: Eric Paris <eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
matthltc-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org,
sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit
Date: Thu, 20 Jun 2013 20:45:31 +0000 [thread overview]
Message-ID: <20130620204531.GA3522@mail.hallyn.com> (raw)
In-Reply-To: <1371733353.16587.19.camel-97fqgl+48DwtHMky1e46ABcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
Quoting Eric Paris (eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote:
> > On 06/20/2013 04:51 AM, Eric Paris wrote:
> > > On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
> > >> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
> > >>> This patchset is first part of namespace support for audit.
> > >>> in this patchset, the mainly resources of audit system have
> > >>> been isolated. the audit filter, rules havn't been isolated
> > >>> now. It will be implemented in Part2. We finished the isolation
> > >>> of user audit message in this patchset.
> > >>>
> > >>> I choose to assign audit to the user namespace.
> > >>> Right now,there are six kinds of namespaces, such as
> > >>> net, mount, ipc, pid, uts and user. the first five
> > >>> namespaces have special usage. the audit isn't suitable to
> > >>> belong to these five namespaces, And since the flag of system
> > >>> call clone is in short supply, we can't provide a new flag such
> > >>> as CLONE_NEWAUDIT to enable audit namespace separately. so the
> > >>> user namespace may be the best choice.
> > >>
> > >> I thought it was said on the last submission that to tie userns and
> > >> audit namespace would be a bad idea?
> > >
> > > I consider it a non-starter. unpriv users are allowed to launch their
> > > own user namespace. The whole point of audit is to have only a priv
> > > user be allowed to make changes. If you tied audit namespace to user
> > > namespace you grant an unpriv user the ability to modify audit.
> > >
> >
> > I understand your views.
> >
> > But ven the unpriv user are allowed to make changes, they can do no harm.
> > they can only make changes on the audit namespace they created.they can
> > only communicate with the audit namespace they created.
>
> Imagine I set up my machine to audit all user access to super secret
> information. With your patch set all an malicious user has to do is
> create a new user namespace. Now when he accesses the super secret
> information it will be logged inside the user namespace he created. So
> he can just dump those logs in the trash.
Right, I thought I'd pointed this out last time - it makes LSPP
certification impossible.
> I believe that each audit namespace should require priv
> (CAP_AUDIT_CONTROL) in the user namespace that created the current audit
> namespace. So lets say the machine boots and we are in the init_user
The problem with this is that ... people will then hand out
CAP_AUDIT_CONTROL :)
I'd be happier with Eric Biederman's suggestion: You can create a new
audit namespace, but all of the initial audit namespace's filters still
(separately) apply to you.
-serge
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Eric Paris <eparis@redhat.com>
Cc: Gao feng <gaofeng@cn.fujitsu.com>,
containers@lists.linux-foundation.org, serge.hallyn@ubuntu.com,
linux-kernel@vger.kernel.org, linux-audit@redhat.com,
ebiederm@xmission.com, matthltc@linux.vnet.ibm.com,
sgrubb@redhat.com
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit
Date: Thu, 20 Jun 2013 20:45:31 +0000 [thread overview]
Message-ID: <20130620204531.GA3522@mail.hallyn.com> (raw)
In-Reply-To: <1371733353.16587.19.camel@dhcp137-13.rdu.redhat.com>
Quoting Eric Paris (eparis@redhat.com):
> On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote:
> > On 06/20/2013 04:51 AM, Eric Paris wrote:
> > > On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
> > >> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
> > >>> This patchset is first part of namespace support for audit.
> > >>> in this patchset, the mainly resources of audit system have
> > >>> been isolated. the audit filter, rules havn't been isolated
> > >>> now. It will be implemented in Part2. We finished the isolation
> > >>> of user audit message in this patchset.
> > >>>
> > >>> I choose to assign audit to the user namespace.
> > >>> Right now,there are six kinds of namespaces, such as
> > >>> net, mount, ipc, pid, uts and user. the first five
> > >>> namespaces have special usage. the audit isn't suitable to
> > >>> belong to these five namespaces, And since the flag of system
> > >>> call clone is in short supply, we can't provide a new flag such
> > >>> as CLONE_NEWAUDIT to enable audit namespace separately. so the
> > >>> user namespace may be the best choice.
> > >>
> > >> I thought it was said on the last submission that to tie userns and
> > >> audit namespace would be a bad idea?
> > >
> > > I consider it a non-starter. unpriv users are allowed to launch their
> > > own user namespace. The whole point of audit is to have only a priv
> > > user be allowed to make changes. If you tied audit namespace to user
> > > namespace you grant an unpriv user the ability to modify audit.
> > >
> >
> > I understand your views.
> >
> > But ven the unpriv user are allowed to make changes, they can do no harm.
> > they can only make changes on the audit namespace they created.they can
> > only communicate with the audit namespace they created.
>
> Imagine I set up my machine to audit all user access to super secret
> information. With your patch set all an malicious user has to do is
> create a new user namespace. Now when he accesses the super secret
> information it will be logged inside the user namespace he created. So
> he can just dump those logs in the trash.
Right, I thought I'd pointed this out last time - it makes LSPP
certification impossible.
> I believe that each audit namespace should require priv
> (CAP_AUDIT_CONTROL) in the user namespace that created the current audit
> namespace. So lets say the machine boots and we are in the init_user
The problem with this is that ... people will then hand out
CAP_AUDIT_CONTROL :)
I'd be happier with Eric Biederman's suggestion: You can create a new
audit namespace, but all of the initial audit namespace's filters still
(separately) apply to you.
-serge
next prev parent reply other threads:[~2013-06-20 20:45 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-19 1:53 [Part1 PATCH 00/22] Add namespace support for audit Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 18/22] Audit: introduce new audit logging interface for user namespace Gao feng
2013-06-19 1:53 ` Gao feng
[not found] ` <1371606834-5802-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-19 1:53 ` [PATCH 01/22] Audit: change type of audit_ever_enabled to bool Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 02/22] Audit: remove duplicate comments Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 03/22] Audit: make audit kernel side netlink sock per userns Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 04/22] netlink: Add compare function for netlink_table Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 05/22] Audit: implement audit self-defined compare function Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 06/22] Audit: make audit_skb_queue per user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 07/22] Audit: make audit_skb_hold_queue " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 08/22] Audit: make kauditd_task " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 09/22] Audit: make audit_nlk_portid per user namesapce Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 10/22] Audit: make audit_enabled per user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 11/22] Audit: make audit_ever_enabled " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 12/22] Audit: make audit_initialized " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 13/22] Audit: only allow init user namespace to change rate limit Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 14/22] Audit: only allow init user namespace to change audit_failure Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 15/22] Audit: only allow init user namespace to change backlog_limit Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 16/22] Audit: make kauditd_wait per user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 17/22] Audit: make audit_backlog_wait " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 18/22] Audit: introduce new audit logging interface for " Gao feng
2013-06-19 1:53 ` [PATCH 19/22] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-06-19 1:53 ` [PATCH 20/22] Audit: Log audit config change in uninit user namespace Gao feng
2013-06-19 1:53 ` [PATCH 21/22] Audit: send reply message to the auditd in proper " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 22/22] Audit: Allow GET, SET, USER MSG operations in uninit " Gao feng
2013-06-19 20:49 ` [Part1 PATCH 00/22] Add namespace support for audit Aristeu Rozanski
2013-06-19 20:49 ` Aristeu Rozanski
[not found] ` <20130619204927.GJ3212-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-19 20:51 ` Eric Paris
2013-06-19 20:51 ` Eric Paris
[not found] ` <1371675095.16587.5.camel-97fqgl+48DwtHMky1e46ABcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
2013-06-19 21:03 ` Eric W. Biederman
2013-06-19 21:03 ` Eric W. Biederman
[not found] ` <87a9mlu82y.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-20 5:21 ` Gao feng
2013-06-20 5:21 ` Gao feng
2013-06-20 3:02 ` Gao feng
2013-06-20 3:02 ` Gao feng
[not found] ` <51C270AF.1080902-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-20 3:09 ` Gao feng
2013-06-20 3:09 ` Gao feng
[not found] ` <51C27266.3060909-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-20 22:01 ` Eric W. Biederman
2013-06-20 22:01 ` Eric W. Biederman
[not found] ` <87y5a4phlm.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-21 5:15 ` Gao feng
2013-06-21 5:15 ` Gao feng
2013-06-24 15:02 ` Aristeu Rozanski
2013-06-24 15:02 ` Aristeu Rozanski
[not found] ` <20130624150237.GA3535-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-24 19:03 ` Eric W. Biederman
2013-06-24 19:03 ` Eric W. Biederman
2013-06-20 13:02 ` Eric Paris
2013-06-20 13:02 ` Eric Paris
2013-06-20 13:02 ` Eric Paris
[not found] ` <1371733353.16587.19.camel-97fqgl+48DwtHMky1e46ABcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
2013-06-20 20:45 ` Serge E. Hallyn [this message]
2013-06-20 20:45 ` Serge E. Hallyn
2013-06-21 3:48 ` Gao feng
2013-06-21 3:48 ` Gao feng
[not found] ` <51C3CCFB.4030901-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-21 9:51 ` Daniel J Walsh
2013-06-21 9:51 ` Daniel J Walsh
[not found] ` <51C42221.3030206-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-21 10:49 ` Eric W. Biederman
2013-06-21 10:49 ` Eric W. Biederman
2013-07-04 3:30 ` Gao feng
2013-07-04 3:30 ` Gao feng
2013-06-19 1:53 ` [PATCH 19/22] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 20/22] Audit: Log audit config change in uninit user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 22/22] Audit: Allow GET,SET,USER MSG operations " Gao feng
2013-06-19 1:53 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130620204531.GA3522@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matthltc-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.