Re: [PATCH] audit: listen in all network namespaces

[Richard Guy Briggs <rgb@redhat.com>]

On Mon, Jul 22, 2013 at 11:20:57AM +0800, Gao feng wrote:
> On 07/20/2013 05:15 AM, Richard Guy Briggs wrote:
> > On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote:
> >> Hi, Richard
> >>
> >> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
> >>> Convert audit from only listening in init_net to use register_pernet_subsys()
> >>> to dynamically manage the netlink socket list.
> >>>
> >>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> >>> ---
> >>
> >> Right now audit still can't be used in uninit pid/user namespace,
> >> Consider this, when user in uninit pid/user namespace is allowed
> >> to setup/run audit subsystem, since the kernel thread always runs
> >> in init pid namespace, so we can't get right net namespace through
> >> get_net_ns_by_pid, The audit information will be sent to incorrect
> >> net namespace by kernel thread.
> >>
> >> In my opinion, This patch is limited and nonextensile.
> >>
> >> Maybe you should check the patchset "[Part1 PATCH 00/22] Add namespace support for audit"
> >> I sent in 06/19/2013, In my solution, audit kernel side netlink sockets belongs
> >> to user namespace, and the user space audit netlink sockets will find the audit
> >> kernel socket through current_net_ns()->user_ns->audit.sock.
> > 
> > I already looked at your 48-patch and 22-patch sets and the threads of
> > comments.  The concerns expressed in that thread haven't been fully
> > addressed yet by you.
> > 
> 
> Sorry, I think I had addressed all the problems in thar thread, maybe I missed
> some, please help me to point it out, fell free to keep on discussing with me
> in that thread.

There are several branches to that thread that went unresolved.  I
haven't seen a followup patchset that attempts to address them:

	https://www.redhat.com/archives/linux-audit/2013-June/msg00046.html
	https://www.redhat.com/archives/linux-audit/2013-June/msg00056.html
	https://www.redhat.com/archives/linux-audit/2013-June/msg00048.html
	https://www.redhat.com/archives/linux-audit/2013-June/msg00050.html

But coming back to Eric Paris' original response and subsequent example,
neither have been addressed adequately:
	https://www.redhat.com/archives/linux-audit/2013-June/msg00035.html
	https://www.redhat.com/archives/linux-audit/2013-June/msg00039.html

and neither has the concern about making LSPP certification impossible.

> >> The "[PATCH 04/22] netlink: Add compare function for netlink_table" of this patchset
> >> has been merged in linux mainline. I think if you look at my patchset, you will find
> >> the [PATCH 03/22] and [PATCH 05/22] will achieve the same aim of your patch.
> > 
> > I don't have any specific issues with patch 04/22.
> > 
> > For patch 05/22, I would have just stopped with comparing the two net
> > namespace pointers.
> > 
> > As for patch 03/22...
> > 
> > The init user namespace doesn't have a one-to-one mapping to network
> > namespace, so this won't solve the problem I was trying to solve.
> 
> If your problem is auditctl is unavailable in uninit net namespace, I
> think my solution can solve this problem, since two audit netlink sockets
> can communicate with each other when the net namespaces they belong to are
> created by the same user namespace.

I don't follow how this is possible.

> Maybe I misunderstand what is your problem here.
> 
> > In the initial user namespace, I can have as many network namespaces as
> > I want.  I want kaudit to listen in all of them.  There is already a
> > conservative check to make sure that audit won't permit changes from
> > any non-initial user namespace (or pid space):
> > kernel/audit.c:583:audit_netlink_ok():
> >         if ((current_user_ns() != &init_user_ns) ||
> >             (task_active_pid_ns(current) != &init_pid_ns))
> >                 return -EPERM;
> > This check needs to be revisited to allow some loosening of this policy,
> > but it was sound to start off too restrictive.
> > (https://bugzilla.redhat.com/show_bug.cgi?id=947530)
> 
> Yes, it was too restrictive, but I can't see what the help from this patch to
> solve this problem.

It hasn't been solved yet.  It is one of the next in line.

> > The certification issues surrounding non-initial user namespaces haven't
> > been adequately resolved yet, not having yet seen a followup patchset,
> > so we can combine these ideas once those issues have been addressed.
> > 
> > I agree we will need to be careful how the specific target socket and
> > portid are selected once we end up in other pid namespaces.  For now,
> > are there specific concerns with this patch or better ways to
> > future-proof the selection of kaudit sockets and portids?
> 
> I my solution, even there are many net namespaces belong to the same user namespace,
> there will only be one audit kernel side netlink socket, so all of the user space
> audit netlink sockets in these net namespaces will find out/communicate with this
> kernel audit socket.

I will need to go back and have a second look to see how this works.

> and the kaudit sockets, portid belong to the user namespace,they are the one and only
> in each user namespace.

Do they not currently belong to the pid namespace?

> Thanks

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545