From: Gao feng <gaofeng@cn.fujitsu.com>
Cc: viro@zeniv.linux.org.uk, eparis@redhat.com,
ebiederm@xmission.com, sgrubb@redhat.com,
akpm@linux-foundation.org, serge.hallyn@ubuntu.com,
davem@davemloft.net, netdev@vger.kernel.org,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, linux-audit@redhat.com
Subject: Re: [PATCH RFC 09/48] Audit: make audit_enabled per user namespace
Date: Wed, 08 May 2013 13:22:11 +0800 [thread overview]
Message-ID: <5189E103.6060100@cn.fujitsu.com> (raw)
In-Reply-To: <20130507154434.GA15275@redhat.com>
On 05/07/2013 11:44 PM, Aristeu Rozanski wrote:
> On Tue, May 07, 2013 at 10:20:30AM +0800, Gao feng wrote:
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index 684599b..33e6584 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -441,7 +441,8 @@ extern int audit_filter_type(int type);
>> extern int audit_receive_filter(int type, int pid, int seq,
>> void *data, size_t datasz, kuid_t loginuid,
>> u32 sessionid, u32 sid);
>> -extern int audit_enabled;
>> +#define audit_enabled (init_user_ns.audit.enabled)
>> +#define audit_enabled_ns (ns->audit.enabled)
>> #else /* CONFIG_AUDIT */
>> static inline __printf(4, 5)
>> void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
>> @@ -487,6 +488,7 @@ static inline void audit_set_user_ns(struct user_namespace *ns)
>> static inline void audit_free_user_ns(struct user_namespace *ns)
>> { }
>> #define audit_enabled 0
>> +#define audit_enabled_ns(ns) 0
>
> conflicting definitions here. maybe the first one should be
> #define audit_enabled_ns(ns) (ns->audit.enabled)?
>
Yes, it should be audit_enabled_ns(ns), I will fix this in next round.
>> @@ -285,14 +282,15 @@ static int audit_do_config_change(char *function_name, int *to_change,
>> u32 sid)
>> {
>> int allow_changes, rc = 0, old = *to_change;
>> + struct user_namespace *ns = current_user_ns();
>>
>> /* check if we are locked */
>> - if (audit_enabled == AUDIT_LOCKED)
>> + if (ns->audit.enabled == AUDIT_LOCKED)
>
> then you don't use the macro you introduced?
will fix this too.
>
>> @@ -609,7 +608,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
>> char *ctx = NULL;
>> u32 len;
>>
>> - if (!audit_enabled) {
>> + if (!init_user_ns.audit.enabled) {
>> *ab = NULL;
>> return rc;
>> }
>
> same here
>
Get it.
Thanks for your comments!
Gao
WARNING: multiple messages have this Message-ID (diff)
From: Gao feng <gaofeng@cn.fujitsu.com>
To: Aristeu Rozanski <aris@redhat.com>
Cc: viro@zeniv.linux.org.uk, eparis@redhat.com,
ebiederm@xmission.com, sgrubb@redhat.com,
akpm@linux-foundation.org, serge.hallyn@ubuntu.com,
davem@davemloft.net, netdev@vger.kernel.org,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, linux-audit@redhat.com
Subject: Re: [PATCH RFC 09/48] Audit: make audit_enabled per user namespace
Date: Wed, 08 May 2013 13:22:11 +0800 [thread overview]
Message-ID: <5189E103.6060100@cn.fujitsu.com> (raw)
In-Reply-To: <20130507154434.GA15275@redhat.com>
On 05/07/2013 11:44 PM, Aristeu Rozanski wrote:
> On Tue, May 07, 2013 at 10:20:30AM +0800, Gao feng wrote:
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index 684599b..33e6584 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -441,7 +441,8 @@ extern int audit_filter_type(int type);
>> extern int audit_receive_filter(int type, int pid, int seq,
>> void *data, size_t datasz, kuid_t loginuid,
>> u32 sessionid, u32 sid);
>> -extern int audit_enabled;
>> +#define audit_enabled (init_user_ns.audit.enabled)
>> +#define audit_enabled_ns (ns->audit.enabled)
>> #else /* CONFIG_AUDIT */
>> static inline __printf(4, 5)
>> void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
>> @@ -487,6 +488,7 @@ static inline void audit_set_user_ns(struct user_namespace *ns)
>> static inline void audit_free_user_ns(struct user_namespace *ns)
>> { }
>> #define audit_enabled 0
>> +#define audit_enabled_ns(ns) 0
>
> conflicting definitions here. maybe the first one should be
> #define audit_enabled_ns(ns) (ns->audit.enabled)?
>
Yes, it should be audit_enabled_ns(ns), I will fix this in next round.
>> @@ -285,14 +282,15 @@ static int audit_do_config_change(char *function_name, int *to_change,
>> u32 sid)
>> {
>> int allow_changes, rc = 0, old = *to_change;
>> + struct user_namespace *ns = current_user_ns();
>>
>> /* check if we are locked */
>> - if (audit_enabled == AUDIT_LOCKED)
>> + if (ns->audit.enabled == AUDIT_LOCKED)
>
> then you don't use the macro you introduced?
will fix this too.
>
>> @@ -609,7 +608,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
>> char *ctx = NULL;
>> u32 len;
>>
>> - if (!audit_enabled) {
>> + if (!init_user_ns.audit.enabled) {
>> *ab = NULL;
>> return rc;
>> }
>
> same here
>
Get it.
Thanks for your comments!
Gao
next prev parent reply other threads:[~2013-05-08 5:22 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-07 2:20 [PATCH RFC 00/48] Add namespace support for audit Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 15/48] Audit: allow to send netlink message to auditd in uninit user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 27/48] Audit: make tree_list per " Gao feng
2013-05-07 2:20 ` [PATCH RFC 31/48] Audit: pass proper user namespace to audit_filter_syscall Gao feng
2013-05-07 2:20 ` [PATCH RFC 33/48] Audit: Log filter related audit message to proper user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 38/48] Audit: tty: translate audit_log_start to audit_log_start_ns Gao feng
2013-05-07 2:21 ` [PATCH RFC 39/48] Audit: netlabel: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 41/48] Audit: lsm: " Gao feng
[not found] ` <1367893269-9308-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-07 2:20 ` [PATCH RFC 01/48] Audit: make audit kernel side netlink sock per userns Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 02/48] netlink: Add compare function for netlink_table Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 03/48] Audit: implement audit self-defined compare function Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 04/48] Audit: make audit_skb_queue per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 05/48] Audit: make audit_skb_hold_queue " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 06/48] Audit: make kauditd_task " Gao feng
2013-05-07 2:20 ` Gao feng
[not found] ` <1367893269-9308-7-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-21 9:15 ` Gao feng
2013-05-21 9:15 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 07/48] Audit: make audit_pid " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 08/48] Audit: make audit_nlk_portid per user namesapce Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 09/48] Audit: make audit_enabled per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
[not found] ` <1367893269-9308-10-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-07 15:44 ` Aristeu Rozanski
2013-05-07 15:44 ` Aristeu Rozanski
[not found] ` <20130507154434.GA15275-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-05-08 5:22 ` Gao feng
2013-05-08 5:22 ` Gao feng [this message]
2013-05-08 5:22 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 10/48] Audit: change type of audit_ever_enabled to bool Gao feng
2013-05-07 2:20 ` Gao feng
[not found] ` <1367893269-9308-11-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-05-08 2:06 ` Matt Helsley
2013-05-08 2:06 ` Matt Helsley
[not found] ` <20130508020626.GD24627-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2013-05-08 5:24 ` Gao feng
2013-05-08 5:24 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 11/48] Audit: make audit_ever_enabled per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 12/48] Audit: make audit_initialized " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 13/48] Audit: only allow init user namespace to change audit_rate_limit Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 14/48] Audit: only allow init user namespace to change audit_failure Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 15/48] Audit: allow to send netlink message to auditd in uninit user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 16/48] Audit: user proper user namespace in audit_log_config_change Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 17/48] Audit: make kauditd_wait per user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 18/48] Audit: make audit_backlog_wait " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 19/48] Audit: remove duplicate comments Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 20/48] Audit: introduce new audit logging interface for user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 21/48] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 22/48] Audit: Log audit config change in uninit user namespace Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 23/48] Audit: netfilter: Log xt table replace behavior in proper " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 24/48] Audit: xt_AUDIT: Log audit message " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 25/48] Audit: send reply message to the auditd " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 26/48] Audit: make audit_inode_hash per " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 27/48] Audit: make tree_list " Gao feng
2013-05-07 2:20 ` [PATCH RFC 28/48] Audit: make audit filter list " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 29/48] Audit: make audit_krule belongs to " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 30/48] Audit: reply audit filter list request to proper " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 31/48] Audit: pass proper user namespace to audit_filter_syscall Gao feng
2013-05-07 2:20 ` [PATCH RFC 32/48] Audit: pass proper user namespace to audit_filter_inode_name Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 33/48] Audit: Log filter related audit message to proper user namespace Gao feng
2013-05-07 2:20 ` [PATCH RFC 34/48] Log audit tree related message in " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 35/48] Audit: Log task related audit message to " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 36/48] Audit: Log watch " Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 37/48] Audit: translate audit_log_start to audit_log_start_ns Gao feng
2013-05-07 2:20 ` Gao feng
2013-05-07 2:20 ` [PATCH RFC 38/48] Audit: tty: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 39/48] Audit: netlabel: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 40/48] Audit: ima: " Gao feng
2013-05-07 2:21 ` Gao feng
2013-05-07 2:21 ` [PATCH RFC 41/48] Audit: lsm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 42/48] Audit: selinux: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 43/48] Audit: xfrm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 44/48] Audit: rename audit_log_start_ns to audit_log_start Gao feng
2013-05-07 2:21 ` [PATCH RFC 45/48] Audit: user audit_enabled_ns to replace audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 46/48] Audit: rename audit_enabled_ns to audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 47/48] Audit: make audit_log user namespace awared Gao feng
2013-05-07 2:21 ` [PATCH RFC 48/48] Audit: allow root user of un-init user namespace to set audit Gao feng
2013-05-08 16:55 ` [PATCH RFC 00/48] Add namespace support for audit Eric Paris
2013-05-08 16:55 ` Eric Paris
2013-05-09 1:13 ` Gao feng
2013-05-09 1:13 ` Gao feng
2013-05-21 9:15 ` Gao feng
2013-05-21 9:15 ` Gao feng
[not found] ` <519B3B4E.1070405-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-06 21:52 ` Serge Hallyn
2013-06-06 21:52 ` Serge Hallyn
2013-06-06 22:47 ` Serge Hallyn
2013-06-06 22:47 ` Serge Hallyn
2013-06-10 1:54 ` Gao feng
2013-06-10 1:54 ` Gao feng
[not found] ` <51B531CC.2020604-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-10 21:24 ` Serge E. Hallyn
2013-06-10 21:24 ` Serge E. Hallyn
[not found] ` <20130610212437.GA11940-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-06-11 5:59 ` Gao feng
2013-06-11 5:59 ` Gao feng
[not found] ` <51B6BCBE.7060608-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-11 13:49 ` Eric Paris
2013-06-11 13:49 ` Eric Paris
2013-06-11 14:15 ` Serge E. Hallyn
2013-06-11 14:15 ` Serge E. Hallyn
2013-06-13 6:02 ` Gao feng
2013-05-07 2:21 ` [PATCH RFC 42/48] Audit: selinux: translate audit_log_start to audit_log_start_ns Gao feng
2013-05-07 2:21 ` [PATCH RFC 43/48] Audit: xfrm: " Gao feng
2013-05-07 2:21 ` [PATCH RFC 44/48] Audit: rename audit_log_start_ns to audit_log_start Gao feng
2013-05-07 2:21 ` [PATCH RFC 45/48] Audit: user audit_enabled_ns to replace audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 46/48] Audit: rename audit_enabled_ns to audit_enabled Gao feng
2013-05-07 2:21 ` [PATCH RFC 47/48] Audit: make audit_log user namespace awared Gao feng
2013-05-07 2:21 ` [PATCH RFC 48/48] Audit: allow root user of un-init user namespace to set audit Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5189E103.6060100@cn.fujitsu.com \
--to=gaofeng@cn.fujitsu.com \
--cc=akpm@linux-foundation.org \
--cc=containers@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=serge.hallyn@ubuntu.com \
--cc=sgrubb@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.