From: Daniel J Walsh <dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Eric Paris <eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
matthltc-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit
Date: Fri, 21 Jun 2013 05:51:29 -0400 [thread overview]
Message-ID: <51C42221.3030206@redhat.com> (raw)
In-Reply-To: <51C3CCFB.4030901-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/20/2013 11:48 PM, Gao feng wrote:
> On 06/20/2013 09:02 PM, Eric Paris wrote:
>> On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote:
>>> On 06/20/2013 04:51 AM, Eric Paris wrote:
>>>> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
>>>>> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
>>>>>> This patchset is first part of namespace support for audit. in
>>>>>> this patchset, the mainly resources of audit system have been
>>>>>> isolated. the audit filter, rules havn't been isolated now. It
>>>>>> will be implemented in Part2. We finished the isolation of user
>>>>>> audit message in this patchset.
>>>>>>
>>>>>> I choose to assign audit to the user namespace. Right now,there
>>>>>> are six kinds of namespaces, such as net, mount, ipc, pid, uts
>>>>>> and user. the first five namespaces have special usage. the audit
>>>>>> isn't suitable to belong to these five namespaces, And since the
>>>>>> flag of system call clone is in short supply, we can't provide a
>>>>>> new flag such as CLONE_NEWAUDIT to enable audit namespace
>>>>>> separately. so the user namespace may be the best choice.
>>>>>
>>>>> I thought it was said on the last submission that to tie userns
>>>>> and audit namespace would be a bad idea?
>>>>
>>>> I consider it a non-starter. unpriv users are allowed to launch
>>>> their own user namespace. The whole point of audit is to have only a
>>>> priv user be allowed to make changes. If you tied audit namespace to
>>>> user namespace you grant an unpriv user the ability to modify audit.
>>>>
>>>
>>> I understand your views.
>>>
>>> But ven the unpriv user are allowed to make changes, they can do no
>>> harm. they can only make changes on the audit namespace they
>>> created.they can only communicate with the audit namespace they
>>> created.
>>
>> Imagine I set up my machine to audit all user access to super secret
>> information. With your patch set all an malicious user has to do is
>> create a new user namespace. Now when he accesses the super secret
>> information it will be logged inside the user namespace he created. So
>> he can just dump those logs in the trash.
>>
>
> No, my v1 patchset only log the user audit message(which generated through
> auditctl -m "xxx") inside user namespace.
>
> I agree with that we should not simply log audit message in the child audit
> namespace. for some global resource related audit messages, they should be
> logged in init audit namespace too.
>
>> I believe that each audit namespace should require priv
>> (CAP_AUDIT_CONTROL) in the user namespace that created the current audit
>> namespace. So lets say the machine boots and we are in the init_user and
>> init_audit namespace. Creating a new audit namespace should require
>> CAP_AUDIT_CONTROL in the init_user namespace. If instead we spawned a
>> new user namespace userns1 and try to create a new audit namespace, we
>> should STILL check for CAP_AUDIT_CONTROL in the init_user namespace.
>>
>
> Ok, I can add this permission check in next version, though this seems a
> litter strictness when we make sure child audit namespace won't fool the
> init audit namespace,
>
>> Assuming we've spawned auditns1 in userns1 and want to spawn auditns2 it
>> should require CAP_AUDIT_CONTROL in userns1. So now you only have
>> permission to change your audit config (create a new audit namespace) if
>> you already had permission to change your current audit config.
>>
>> Now how to handle coding this...
>>
>> When the kernel receives an audit message on the netlink socket it can
>> always check the current->[whatever] to figure out which audit namespace
>> it came from. Then it can be processed accordingly...
>
> Yes, this situation is easy to handle, since we are in process context...
> but in some situations, we are not running in process context... as I
> mentioned, audit messages generated by netfilter rules. current process is
> untrustable. we can only get meaningful net namespace in this situation.
> Actually, it's meaningful to send net related audit messages to the user
> namespace which creates this net namespace.
>
>
>>
>> Sending messages to the userspace auditd is a little more tricky. We
>> need to somehow map the audit namespace to a socket connected to auditd
>> in userspace. I'd imagine we'd have to either have per auditns backlog
>> queues and run one kauditd per audit namespace, or we'd have to tag the
>> skb's with the intended namespace somehow and then find the right socket
>> in kauditd. Either way it doesn't seem too onerous (although I admit, I
>> don't know how to code the per namespace kauditd right offhand)
>>
>
> As I said in "[PATCH 04/22] netlink: Add compare function for
> netlink_table", netlink and socket are private resources of net namespace.
> socket has no idea which audit namespace it belongs to,unless we add a
> field to mark this. Through I think we can archive audit namespace in your
> way,but maybe we should hack into the net namespace. I don't think the
> network guys will like it.
>
> There is one more thing we have to do if we don't tie audit namespace to
> user namespace. we have to implement the audit proc
> file(/proc/<pid>/ns/audit) and the clone/unshare/setns parts.
>
> I still this my way is the simplest and can satisfy your requirement.
>
> -- Linux-audit mailing list Linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
> https://www.redhat.com/mailman/listinfo/linux-audit
>
Will I be able to use the audit namespace without the user namespace. I would
prefer to be able to use the audit namespace long before I am willing to take
a chance with the User Namespace for things like light weight virtualization
and securing processes with MAC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHEIiEACgkQrlYvE4MpobP8awCcD4xO34I4IDD+qeHQLPFtWM0q
vnMAn1PTatEUfPkeQG1+dG4ULKpOLCoB
=nrRz
-----END PGP SIGNATURE-----
WARNING: multiple messages have this Message-ID (diff)
From: Daniel J Walsh <dwalsh@redhat.com>
To: Gao feng <gaofeng@cn.fujitsu.com>
Cc: Eric Paris <eparis@redhat.com>,
containers@lists.linux-foundation.org, serge.hallyn@ubuntu.com,
linux-kernel@vger.kernel.org, linux-audit@redhat.com,
ebiederm@xmission.com, matthltc@linux.vnet.ibm.com,
Aristeu Rozanski <aris@redhat.com>
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit
Date: Fri, 21 Jun 2013 05:51:29 -0400 [thread overview]
Message-ID: <51C42221.3030206@redhat.com> (raw)
In-Reply-To: <51C3CCFB.4030901@cn.fujitsu.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/20/2013 11:48 PM, Gao feng wrote:
> On 06/20/2013 09:02 PM, Eric Paris wrote:
>> On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote:
>>> On 06/20/2013 04:51 AM, Eric Paris wrote:
>>>> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
>>>>> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
>>>>>> This patchset is first part of namespace support for audit. in
>>>>>> this patchset, the mainly resources of audit system have been
>>>>>> isolated. the audit filter, rules havn't been isolated now. It
>>>>>> will be implemented in Part2. We finished the isolation of user
>>>>>> audit message in this patchset.
>>>>>>
>>>>>> I choose to assign audit to the user namespace. Right now,there
>>>>>> are six kinds of namespaces, such as net, mount, ipc, pid, uts
>>>>>> and user. the first five namespaces have special usage. the audit
>>>>>> isn't suitable to belong to these five namespaces, And since the
>>>>>> flag of system call clone is in short supply, we can't provide a
>>>>>> new flag such as CLONE_NEWAUDIT to enable audit namespace
>>>>>> separately. so the user namespace may be the best choice.
>>>>>
>>>>> I thought it was said on the last submission that to tie userns
>>>>> and audit namespace would be a bad idea?
>>>>
>>>> I consider it a non-starter. unpriv users are allowed to launch
>>>> their own user namespace. The whole point of audit is to have only a
>>>> priv user be allowed to make changes. If you tied audit namespace to
>>>> user namespace you grant an unpriv user the ability to modify audit.
>>>>
>>>
>>> I understand your views.
>>>
>>> But ven the unpriv user are allowed to make changes, they can do no
>>> harm. they can only make changes on the audit namespace they
>>> created.they can only communicate with the audit namespace they
>>> created.
>>
>> Imagine I set up my machine to audit all user access to super secret
>> information. With your patch set all an malicious user has to do is
>> create a new user namespace. Now when he accesses the super secret
>> information it will be logged inside the user namespace he created. So
>> he can just dump those logs in the trash.
>>
>
> No, my v1 patchset only log the user audit message(which generated through
> auditctl -m "xxx") inside user namespace.
>
> I agree with that we should not simply log audit message in the child audit
> namespace. for some global resource related audit messages, they should be
> logged in init audit namespace too.
>
>> I believe that each audit namespace should require priv
>> (CAP_AUDIT_CONTROL) in the user namespace that created the current audit
>> namespace. So lets say the machine boots and we are in the init_user and
>> init_audit namespace. Creating a new audit namespace should require
>> CAP_AUDIT_CONTROL in the init_user namespace. If instead we spawned a
>> new user namespace userns1 and try to create a new audit namespace, we
>> should STILL check for CAP_AUDIT_CONTROL in the init_user namespace.
>>
>
> Ok, I can add this permission check in next version, though this seems a
> litter strictness when we make sure child audit namespace won't fool the
> init audit namespace,
>
>> Assuming we've spawned auditns1 in userns1 and want to spawn auditns2 it
>> should require CAP_AUDIT_CONTROL in userns1. So now you only have
>> permission to change your audit config (create a new audit namespace) if
>> you already had permission to change your current audit config.
>>
>> Now how to handle coding this...
>>
>> When the kernel receives an audit message on the netlink socket it can
>> always check the current->[whatever] to figure out which audit namespace
>> it came from. Then it can be processed accordingly...
>
> Yes, this situation is easy to handle, since we are in process context...
> but in some situations, we are not running in process context... as I
> mentioned, audit messages generated by netfilter rules. current process is
> untrustable. we can only get meaningful net namespace in this situation.
> Actually, it's meaningful to send net related audit messages to the user
> namespace which creates this net namespace.
>
>
>>
>> Sending messages to the userspace auditd is a little more tricky. We
>> need to somehow map the audit namespace to a socket connected to auditd
>> in userspace. I'd imagine we'd have to either have per auditns backlog
>> queues and run one kauditd per audit namespace, or we'd have to tag the
>> skb's with the intended namespace somehow and then find the right socket
>> in kauditd. Either way it doesn't seem too onerous (although I admit, I
>> don't know how to code the per namespace kauditd right offhand)
>>
>
> As I said in "[PATCH 04/22] netlink: Add compare function for
> netlink_table", netlink and socket are private resources of net namespace.
> socket has no idea which audit namespace it belongs to,unless we add a
> field to mark this. Through I think we can archive audit namespace in your
> way,but maybe we should hack into the net namespace. I don't think the
> network guys will like it.
>
> There is one more thing we have to do if we don't tie audit namespace to
> user namespace. we have to implement the audit proc
> file(/proc/<pid>/ns/audit) and the clone/unshare/setns parts.
>
> I still this my way is the simplest and can satisfy your requirement.
>
> -- Linux-audit mailing list Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
Will I be able to use the audit namespace without the user namespace. I would
prefer to be able to use the audit namespace long before I am willing to take
a chance with the User Namespace for things like light weight virtualization
and securing processes with MAC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHEIiEACgkQrlYvE4MpobP8awCcD4xO34I4IDD+qeHQLPFtWM0q
vnMAn1PTatEUfPkeQG1+dG4ULKpOLCoB
=nrRz
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2013-06-21 9:51 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-19 1:53 [Part1 PATCH 00/22] Add namespace support for audit Gao feng
2013-06-19 1:53 ` Gao feng
[not found] ` <1371606834-5802-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-19 1:53 ` [PATCH 01/22] Audit: change type of audit_ever_enabled to bool Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 02/22] Audit: remove duplicate comments Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 03/22] Audit: make audit kernel side netlink sock per userns Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 04/22] netlink: Add compare function for netlink_table Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 05/22] Audit: implement audit self-defined compare function Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 06/22] Audit: make audit_skb_queue per user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 07/22] Audit: make audit_skb_hold_queue " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 08/22] Audit: make kauditd_task " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 09/22] Audit: make audit_nlk_portid per user namesapce Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 10/22] Audit: make audit_enabled per user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 11/22] Audit: make audit_ever_enabled " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 12/22] Audit: make audit_initialized " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 13/22] Audit: only allow init user namespace to change rate limit Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 14/22] Audit: only allow init user namespace to change audit_failure Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 15/22] Audit: only allow init user namespace to change backlog_limit Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 16/22] Audit: make kauditd_wait per user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 17/22] Audit: make audit_backlog_wait " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 18/22] Audit: introduce new audit logging interface for " Gao feng
2013-06-19 1:53 ` [PATCH 19/22] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-06-19 1:53 ` [PATCH 20/22] Audit: Log audit config change in uninit user namespace Gao feng
2013-06-19 1:53 ` [PATCH 21/22] Audit: send reply message to the auditd in proper " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 22/22] Audit: Allow GET, SET, USER MSG operations in uninit " Gao feng
2013-06-19 20:49 ` [Part1 PATCH 00/22] Add namespace support for audit Aristeu Rozanski
2013-06-19 20:49 ` Aristeu Rozanski
[not found] ` <20130619204927.GJ3212-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-19 20:51 ` Eric Paris
2013-06-19 20:51 ` Eric Paris
[not found] ` <1371675095.16587.5.camel-97fqgl+48DwtHMky1e46ABcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
2013-06-19 21:03 ` Eric W. Biederman
2013-06-19 21:03 ` Eric W. Biederman
[not found] ` <87a9mlu82y.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-20 5:21 ` Gao feng
2013-06-20 5:21 ` Gao feng
2013-06-20 3:02 ` Gao feng
2013-06-20 3:02 ` Gao feng
[not found] ` <51C270AF.1080902-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-20 3:09 ` Gao feng
2013-06-20 3:09 ` Gao feng
[not found] ` <51C27266.3060909-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-20 22:01 ` Eric W. Biederman
2013-06-20 22:01 ` Eric W. Biederman
[not found] ` <87y5a4phlm.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-21 5:15 ` Gao feng
2013-06-21 5:15 ` Gao feng
2013-06-24 15:02 ` Aristeu Rozanski
2013-06-24 15:02 ` Aristeu Rozanski
[not found] ` <20130624150237.GA3535-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-24 19:03 ` Eric W. Biederman
2013-06-24 19:03 ` Eric W. Biederman
2013-06-20 13:02 ` Eric Paris
2013-06-20 13:02 ` Eric Paris
2013-06-20 13:02 ` Eric Paris
[not found] ` <1371733353.16587.19.camel-97fqgl+48DwtHMky1e46ABcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
2013-06-20 20:45 ` Serge E. Hallyn
2013-06-20 20:45 ` Serge E. Hallyn
2013-06-21 3:48 ` Gao feng
2013-06-21 3:48 ` Gao feng
[not found] ` <51C3CCFB.4030901-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-21 9:51 ` Daniel J Walsh [this message]
2013-06-21 9:51 ` Daniel J Walsh
[not found] ` <51C42221.3030206-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-21 10:49 ` Eric W. Biederman
2013-06-21 10:49 ` Eric W. Biederman
2013-07-04 3:30 ` Gao feng
2013-07-04 3:30 ` Gao feng
2013-06-19 1:53 ` [PATCH 18/22] Audit: introduce new audit logging interface for user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 19/22] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 20/22] Audit: Log audit config change in uninit user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 22/22] Audit: Allow GET,SET,USER MSG operations " Gao feng
2013-06-19 1:53 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51C42221.3030206@redhat.com \
--to=dwalsh-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matthltc-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.