From: Florian Westphal <fw@strlen.de>
To: Paul Moore <paul@paul-moore.com>
Cc: Florian Westphal <fw@strlen.de>,
Richard Weinberger <richard@nod.at>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
pabeni@redhat.com, kuba@kernel.org, edumazet@google.com,
davem@davemloft.net, kadlec@netfilter.org, pablo@netfilter.org,
rgb@redhat.com, upstream+net@sigma-star.at
Subject: Re: [PATCH] netfilter: Record uid and gid in xt_AUDIT
Date: Thu, 10 Oct 2024 00:34:09 +0200 [thread overview]
Message-ID: <20241009223409.GE3714@breakpoint.cc> (raw)
In-Reply-To: <CAHC9VhSFHQtg357WLoLrkN8wpPxDRmD_qA55NHOUEwFpE_pbrg@mail.gmail.com>
Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Oct 9, 2024 at 5:34 PM Florian Westphal <fw@strlen.de> wrote:
> > Richard Weinberger <richard@nod.at> wrote:
> > > When recording audit events for new outgoing connections,
> > > it is helpful to log the user info of the associated socket,
> > > if available.
> > > Therefore, check if the skb has a socket, and if it does,
> > > log the owning fsuid/fsgid.
> >
> > AFAIK audit isn't namespace aware at all (neither netns nor userns), so I
> > wonder how to handle this.
> >
> > We can't reject adding a -j AUDIT rule for non-init-net (we could, but I'm sure
> > it'll break some setups...).
> >
> > But I wonder if we should at least skip the uid if the user namespace is
> > 'something else'.
>
> This isn't unique to netfilter and the approach we take in the rest of
> audit is to always display UIDs/GIDs in the context of the
> init_user_ns; grep for from_kuid() in kernel/audit*.c.
Hmm, audit_netlink_ok() bails with -ECONNREFUSED for current_user_ns()
!= &init_user_ns, so audit_log_common_recv_msg() won't be called from
tasks that reside in a different userns.
If you say its fine and audit can figure out that the retuned
uid is not related to the initial user namespace, then ok.
I was worried audit records could blame wrong/bogus user id.
next prev parent reply other threads:[~2024-10-09 22:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-09 20:32 [PATCH] netfilter: Record uid and gid in xt_AUDIT Richard Weinberger
2024-10-09 21:33 ` Florian Westphal
2024-10-09 21:46 ` Paul Moore
2024-10-09 22:34 ` Florian Westphal [this message]
2024-10-10 2:02 ` Paul Moore
2024-10-10 17:59 ` Florian Westphal
2024-10-10 19:13 ` Paul Moore
2024-10-10 6:27 ` Richard Weinberger
2024-10-10 13:48 ` Florian Westphal
2024-10-10 13:53 ` Jan Engelhardt
2024-10-10 20:09 ` Richard Weinberger
2024-10-11 1:27 ` Florian Westphal
2024-10-11 13:12 ` Richard Weinberger
2024-10-09 22:02 ` Paul Moore
2024-10-10 6:24 ` Richard Weinberger
2024-10-10 19:09 ` Paul Moore
2024-10-10 20:40 ` Richard Weinberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241009223409.GE3714@breakpoint.cc \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=richard@nod.at \
--cc=upstream+net@sigma-star.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.