Re: [PATCH] audit: listen in all network namespaces

[Gao feng <gaofeng@cn.fujitsu.com>]

On 08/02/2013 01:57 AM, Eric Paris wrote:
> On Tue, 2013-07-30 at 13:22 -0400, Richard Guy Briggs wrote:
>> On Mon, Jul 22, 2013 at 11:20:57AM +0800, Gao feng wrote:
>>> On 07/20/2013 05:15 AM, Richard Guy Briggs wrote:
>>>> On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote:
>>>>> Hi, Richard
>>>>>
>>>>> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
>>>>>> Convert audit from only listening in init_net to use register_pernet_subsys()
>>>>>> to dynamically manage the netlink socket list.
>>>>>>
>>>>>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>>>>>> ---
>>>>>
>>>>> Right now audit still can't be used in uninit pid/user namespace,
>>>>> Consider this, when user in uninit pid/user namespace is allowed
>>>>> to setup/run audit subsystem, since the kernel thread always runs
>>>>> in init pid namespace, so we can't get right net namespace through
>>>>> get_net_ns_by_pid, The audit information will be sent to incorrect
>>>>> net namespace by kernel thread.
>>>>>
>>>>> In my opinion, This patch is limited and nonextensile.
> 
> I agree completely that this patch is limited and nonextensible.  But it
> gets us where we should already be today.  A single global kauditd and a
> single global auditd.  Today if you spawn a new network namespace you
> cannot send messages to the kernel audit system.  You cannot run auditd
> in uninit network namespace. 

Yes, and you cannot run auditd in uninit pid/user namespace too.

> This is wrong.  The kernel should take
> anything userspace wants to throw at it and it should send messages to
> auditd no matter where it lives.  I see this is a good patch that should
> go in next window, and will likely get overwritten completely with your
> future work.

I'm ok if you want this patch in next window, but I have to say, The solutions
I can think out will almost revert or rewrite this patch.

> 
> Now your patch handles this and so much more.
> 
> I still detest the idea of tieing the audit namespace to the user
> namespace.  My NAK still stands on any such patches.
> 
> I'd think that disjoint namespaces (like networking) instead of
> hierarchical namespaces (like user) would be a lot easier to do.  My
> thoughts have always been about completely disjoint audit namespaces and
> I may have missed the nuance of some of your discussion because it
> didn't really dawn on me you seem to have always been discussing
> hierarchical audit namespace.

Though user namespace is hierarchical, we can make auditns nonhierarchical even
tie it to userns. this depends on our decision/implementation, doesn't depend
on if we tie aduitns to userns.

> 
> I'm wondering if we want/need both?  If I decide to launch a whole
> distro inside a container I may not want it to be subject to any of the
> audit rules of the init namespace.  disjoint namespaces are good.  You
> don't seem to allow this, the init namespace audit rules would also
> apply.
> 

we can isolate audit rules, auditns can have its own audit rules, and
take no effect on other auditns.

> I'm not saying hierarchical rules are bad, in fact I might be convinced
> they are adequate, I just can't bring myself to that conclusion yet.
> The conclusion I still feel comfortable with is that the user namespace
> is a whole of bag and I don't want it tied to audit.
> 

Get it, I feel that you really don't like this idea, There are three reasons
I choose to tie auditns to userns.

1, all other namespace(net,pid,mnt,ipc..)  has a "user_ns" pointer which point
to the user namespace, this user namespace is the creator of these namespace.
So in these namespaces, we can find out the auditns through {netns,pidns,ipcns}->user_ns->audit.
audit subsystem is a service layer, it should be available for other subsystems.

if we don't tie auditns to userns, we have to add an extra pointer for other
namespace, looks like this netns->auditns, pidns->auditns, ipcns->auditns.

2. if we don't tie auditns to userns, we have to find a way to create a new
auditns. the flags of clone is a problem.

3, there are already 6 kinds of namespaces, for me, I don't want to introduce
a complete new namespace(think about there are syslog,crypto... need to be
ioslated, there will be so much namespace...). I choose to extend the current
exist namespace and achieve the same feature.

I know it's not a very good solution,since userns totally has no relationship
with audit...