From: Gao feng <gaofeng@cn.fujitsu.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] audit: listen in all network namespaces
Date: Wed, 17 Jul 2013 11:54:21 +0800 [thread overview]
Message-ID: <51E6156D.3040709@cn.fujitsu.com> (raw)
In-Reply-To: <1374006760-7687-1-git-send-email-rgb@redhat.com>
Hi, Richard
On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
> Convert audit from only listening in init_net to use register_pernet_subsys()
> to dynamically manage the netlink socket list.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
Right now audit still can't be used in uninit pid/user namespace,
Consider this, when user in uninit pid/user namespace is allowed
to setup/run audit subsystem, since the kernel thread always runs
in init pid namespace, so we can't get right net namespace through
get_net_ns_by_pid, The audit information will be sent to incorrect
net namespace by kernel thread.
In my opinion, This patch is limited and nonextensile.
Maybe you should check the patchset "[Part1 PATCH 00/22] Add namespace support for audit"
I sent in 06/19/2013, In my solution, audit kernel side netlink sockets belongs
to user namespace, and the user space audit netlink sockets will find the audit
kernel socket through current_net_ns()->user_ns->audit.sock.
The "[PATCH 04/22] netlink: Add compare function for netlink_table" of this patchset
has been merged in linux mainline. I think if you look at my patchset, you will find
the [PATCH 03/22] and [PATCH 05/22] will achieve the same aim of your patch.
Thanks!
next prev parent reply other threads:[~2013-07-17 3:54 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-16 20:32 [PATCH] audit: listen in all network namespaces Richard Guy Briggs
2013-07-17 3:54 ` Gao feng [this message]
2013-07-19 21:15 ` Richard Guy Briggs
2013-07-22 3:20 ` Gao feng
2013-07-30 17:22 ` Richard Guy Briggs
2013-08-01 17:57 ` Eric Paris
2013-08-02 1:48 ` Gao feng
2013-08-02 13:21 ` Miloslav Trmač
2013-08-02 1:17 ` Gao feng
[not found] ` <1374006760-7687-1-git-send-email-rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-12-19 3:59 ` Gao feng
[not found] ` <52B26F1A.9070308-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-19 18:40 ` Eric Paris
[not found] ` <1387478422.29366.33.camel-OjZBOOqb7SR7cYLChsl7DafLeoKvNuZc@public.gmane.org>
2013-12-20 1:35 ` Gao feng
2013-12-20 2:46 ` Gao feng
[not found] ` <52B3AF8F.5040607-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-12-20 3:11 ` Eric Paris
2013-12-20 3:45 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51E6156D.3040709@cn.fujitsu.com \
--to=gaofeng@cn.fujitsu.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox