From: Aristeu Rozanski <aris@redhat.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Gao feng <gaofeng@cn.fujitsu.com>,
containers@lists.linux-foundation.org, serge.hallyn@ubuntu.com,
linux-kernel@vger.kernel.org, Eric Paris <eparis@redhat.com>,
linux-audit@redhat.com, matthltc@linux.vnet.ibm.com,
sgrubb@redhat.com
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit
Date: Mon, 24 Jun 2013 11:02:37 -0400 [thread overview]
Message-ID: <20130624150237.GA3535@redhat.com> (raw)
In-Reply-To: <87y5a4phlm.fsf@xmission.com>
On Thu, Jun 20, 2013 at 03:01:09PM -0700, Eric W. Biederman wrote:
> Gao feng <gaofeng@cn.fujitsu.com> writes:
>
> > On 06/20/2013 11:02 AM, Gao feng wrote:
> >> If we don't tie audit to user namespace, there is still one problem.
> >
> > One more problem. some audit messages are generated by some net subsystem
> > such as netfilter. If we don't tie audit to user namespace, we have no
> > idea where these audit messages should go. there is no relationship between
> > net namespace and audit namespace while we can get user namespace through
> > net user namespace.
>
> I am in favor of the user namespace tie in.
>
> I am in favor of running a per user namespace audit filter once per user
> namespace walking up the user namespace hierarchy. Each filter would
> deliver messages to a different userspace audit daemon.
>
> Until we agreement to go that far I am not certain the kernel generated
> audit messages should go anywhere except to the global audit daemon.
>
> I think on an individual basis we can look at kernel audit messages and
> see if they should go to just the global user namespace. Just the user
> namspace of the relevant network stack. Or if the message should go to
> the audit daemon of every user namespace that is an ancestor of some
> starting user namespace.
>
> But please let's error on the side of caution here.
Let's say I'd like to use userns but still have a single and global
auditd. Dropping the capability will be required for that? That sounds
bad. The fact new user namespaces will want to control the separated
audit namespace doesn't require tie in.
--
Aristeu
next prev parent reply other threads:[~2013-06-24 15:02 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-19 1:53 [Part1 PATCH 00/22] Add namespace support for audit Gao feng
2013-06-19 1:53 ` [PATCH 01/22] Audit: change type of audit_ever_enabled to bool Gao feng
2013-06-19 1:53 ` [PATCH 02/22] Audit: remove duplicate comments Gao feng
2013-06-19 1:53 ` [PATCH 03/22] Audit: make audit kernel side netlink sock per userns Gao feng
2013-06-19 1:53 ` [PATCH 04/22] netlink: Add compare function for netlink_table Gao feng
2013-06-19 1:53 ` [PATCH 05/22] Audit: implement audit self-defined compare function Gao feng
2013-06-19 1:53 ` [PATCH 06/22] Audit: make audit_skb_queue per user namespace Gao feng
2013-06-19 1:53 ` [PATCH 07/22] Audit: make audit_skb_hold_queue " Gao feng
2013-06-19 1:53 ` [PATCH 08/22] Audit: make kauditd_task " Gao feng
2013-06-19 1:53 ` [PATCH 09/22] Audit: make audit_nlk_portid per user namesapce Gao feng
2013-06-19 1:53 ` [PATCH 10/22] Audit: make audit_enabled per user namespace Gao feng
2013-06-19 1:53 ` [PATCH 11/22] Audit: make audit_ever_enabled " Gao feng
2013-06-19 1:53 ` [PATCH 12/22] Audit: make audit_initialized " Gao feng
2013-06-19 1:53 ` [PATCH 13/22] Audit: only allow init user namespace to change rate limit Gao feng
2013-06-19 1:53 ` [PATCH 14/22] Audit: only allow init user namespace to change audit_failure Gao feng
2013-06-19 1:53 ` [PATCH 15/22] Audit: only allow init user namespace to change backlog_limit Gao feng
2013-06-19 1:53 ` [PATCH 16/22] Audit: make kauditd_wait per user namespace Gao feng
2013-06-19 1:53 ` [PATCH 17/22] Audit: make audit_backlog_wait " Gao feng
2013-06-19 1:53 ` [PATCH 18/22] Audit: introduce new audit logging interface for " Gao feng
2013-06-19 1:53 ` [PATCH 19/22] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-06-19 1:53 ` [PATCH 20/22] Audit: Log audit config change in uninit user namespace Gao feng
2013-06-19 1:53 ` [PATCH 21/22] Audit: send reply message to the auditd in proper " Gao feng
2013-06-19 1:53 ` [PATCH 22/22] Audit: Allow GET,SET,USER MSG operations in uninit " Gao feng
2013-06-19 20:49 ` [Part1 PATCH 00/22] Add namespace support for audit Aristeu Rozanski
2013-06-19 20:51 ` Eric Paris
2013-06-19 21:03 ` Eric W. Biederman
2013-06-20 5:21 ` Gao feng
2013-06-20 3:02 ` Gao feng
2013-06-20 3:09 ` Gao feng
2013-06-20 22:01 ` Eric W. Biederman
2013-06-21 5:15 ` Gao feng
2013-06-24 15:02 ` Aristeu Rozanski [this message]
2013-06-24 19:03 ` Eric W. Biederman
2013-06-20 13:02 ` Eric Paris
2013-06-20 20:45 ` Serge E. Hallyn
2013-06-21 3:48 ` Gao feng
2013-06-21 9:51 ` Daniel J Walsh
2013-06-21 10:49 ` Eric W. Biederman
2013-07-04 3:30 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130624150237.GA3535@redhat.com \
--to=aris@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=gaofeng@cn.fujitsu.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matthltc@linux.vnet.ibm.com \
--cc=serge.hallyn@ubuntu.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).