Re: [PATCH] audit: listen in all network namespaces

[Eric Paris <eparis@redhat.com>]

On Tue, 2013-07-30 at 13:22 -0400, Richard Guy Briggs wrote:
> On Mon, Jul 22, 2013 at 11:20:57AM +0800, Gao feng wrote:
> > On 07/20/2013 05:15 AM, Richard Guy Briggs wrote:
> > > On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote:
> > >> Hi, Richard
> > >>
> > >> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
> > >>> Convert audit from only listening in init_net to use register_pernet_subsys()
> > >>> to dynamically manage the netlink socket list.
> > >>>
> > >>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > >>> ---
> > >>
> > >> Right now audit still can't be used in uninit pid/user namespace,
> > >> Consider this, when user in uninit pid/user namespace is allowed
> > >> to setup/run audit subsystem, since the kernel thread always runs
> > >> in init pid namespace, so we can't get right net namespace through
> > >> get_net_ns_by_pid, The audit information will be sent to incorrect
> > >> net namespace by kernel thread.
> > >>
> > >> In my opinion, This patch is limited and nonextensile.

I agree completely that this patch is limited and nonextensible.  But it
gets us where we should already be today.  A single global kauditd and a
single global auditd.  Today if you spawn a new network namespace you
cannot send messages to the kernel audit system.  You cannot run auditd
in uninit network namespace.  This is wrong.  The kernel should take
anything userspace wants to throw at it and it should send messages to
auditd no matter where it lives.  I see this is a good patch that should
go in next window, and will likely get overwritten completely with your
future work.

Now your patch handles this and so much more.

I still detest the idea of tieing the audit namespace to the user
namespace.  My NAK still stands on any such patches.

I'd think that disjoint namespaces (like networking) instead of
hierarchical namespaces (like user) would be a lot easier to do.  My
thoughts have always been about completely disjoint audit namespaces and
I may have missed the nuance of some of your discussion because it
didn't really dawn on me you seem to have always been discussing
hierarchical audit namespace.

I'm wondering if we want/need both?  If I decide to launch a whole
distro inside a container I may not want it to be subject to any of the
audit rules of the init namespace.  disjoint namespaces are good.  You
don't seem to allow this, the init namespace audit rules would also
apply.

I'm not saying hierarchical rules are bad, in fact I might be convinced
they are adequate, I just can't bring myself to that conclusion yet.
The conclusion I still feel comfortable with is that the user namespace
is a whole of bag and I don't want it tied to audit.

-Eric