From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: [PATCH] audit: listen in all network namespaces Date: Tue, 30 Jul 2013 13:22:14 -0400 Message-ID: <20130730172214.GI11242@madcap2.tricolour.ca> References: <1374006760-7687-1-git-send-email-rgb@redhat.com> <51E6156D.3040709@cn.fujitsu.com> <20130719211517.GE11242@madcap2.tricolour.ca> <51ECA519.6020906@cn.fujitsu.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <51ECA519.6020906@cn.fujitsu.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Gao feng Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, Jul 22, 2013 at 11:20:57AM +0800, Gao feng wrote: > On 07/20/2013 05:15 AM, Richard Guy Briggs wrote: > > On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote: > >> Hi, Richard > >> > >> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote: > >>> Convert audit from only listening in init_net to use register_pernet_subsys() > >>> to dynamically manage the netlink socket list. > >>> > >>> Signed-off-by: Richard Guy Briggs > >>> --- > >> > >> Right now audit still can't be used in uninit pid/user namespace, > >> Consider this, when user in uninit pid/user namespace is allowed > >> to setup/run audit subsystem, since the kernel thread always runs > >> in init pid namespace, so we can't get right net namespace through > >> get_net_ns_by_pid, The audit information will be sent to incorrect > >> net namespace by kernel thread. > >> > >> In my opinion, This patch is limited and nonextensile. > >> > >> Maybe you should check the patchset "[Part1 PATCH 00/22] Add namespace support for audit" > >> I sent in 06/19/2013, In my solution, audit kernel side netlink sockets belongs > >> to user namespace, and the user space audit netlink sockets will find the audit > >> kernel socket through current_net_ns()->user_ns->audit.sock. > > > > I already looked at your 48-patch and 22-patch sets and the threads of > > comments. The concerns expressed in that thread haven't been fully > > addressed yet by you. > > > > Sorry, I think I had addressed all the problems in thar thread, maybe I missed > some, please help me to point it out, fell free to keep on discussing with me > in that thread. There are several branches to that thread that went unresolved. I haven't seen a followup patchset that attempts to address them: https://www.redhat.com/archives/linux-audit/2013-June/msg00046.html https://www.redhat.com/archives/linux-audit/2013-June/msg00056.html https://www.redhat.com/archives/linux-audit/2013-June/msg00048.html https://www.redhat.com/archives/linux-audit/2013-June/msg00050.html But coming back to Eric Paris' original response and subsequent example, neither have been addressed adequately: https://www.redhat.com/archives/linux-audit/2013-June/msg00035.html https://www.redhat.com/archives/linux-audit/2013-June/msg00039.html and neither has the concern about making LSPP certification impossible. > >> The "[PATCH 04/22] netlink: Add compare function for netlink_table" of this patchset > >> has been merged in linux mainline. I think if you look at my patchset, you will find > >> the [PATCH 03/22] and [PATCH 05/22] will achieve the same aim of your patch. > > > > I don't have any specific issues with patch 04/22. > > > > For patch 05/22, I would have just stopped with comparing the two net > > namespace pointers. > > > > As for patch 03/22... > > > > The init user namespace doesn't have a one-to-one mapping to network > > namespace, so this won't solve the problem I was trying to solve. > > If your problem is auditctl is unavailable in uninit net namespace, I > think my solution can solve this problem, since two audit netlink sockets > can communicate with each other when the net namespaces they belong to are > created by the same user namespace. I don't follow how this is possible. > Maybe I misunderstand what is your problem here. > > > In the initial user namespace, I can have as many network namespaces as > > I want. I want kaudit to listen in all of them. There is already a > > conservative check to make sure that audit won't permit changes from > > any non-initial user namespace (or pid space): > > kernel/audit.c:583:audit_netlink_ok(): > > if ((current_user_ns() != &init_user_ns) || > > (task_active_pid_ns(current) != &init_pid_ns)) > > return -EPERM; > > This check needs to be revisited to allow some loosening of this policy, > > but it was sound to start off too restrictive. > > (https://bugzilla.redhat.com/show_bug.cgi?id=947530) > > Yes, it was too restrictive, but I can't see what the help from this patch to > solve this problem. It hasn't been solved yet. It is one of the next in line. > > The certification issues surrounding non-initial user namespaces haven't > > been adequately resolved yet, not having yet seen a followup patchset, > > so we can combine these ideas once those issues have been addressed. > > > > I agree we will need to be careful how the specific target socket and > > portid are selected once we end up in other pid namespaces. For now, > > are there specific concerns with this patch or better ways to > > future-proof the selection of kaudit sockets and portids? > > I my solution, even there are many net namespaces belong to the same user namespace, > there will only be one audit kernel side netlink socket, so all of the user space > audit netlink sockets in these net namespaces will find out/communicate with this > kernel audit socket. I will need to go back and have a second look to see how this works. > and the kaudit sockets, portid belong to the user namespace,they are the one and only > in each user namespace. Do they not currently belong to the pid namespace? > Thanks - RGB -- Richard Guy Briggs Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545