Re: [userspace PATCH v2 0/2] Add support for loginuid_set
On Mon, Oct 17, 2016 at 11:40 AM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2016-10-11 18:15, Paul Moore wrote:
> Looking back through the git logs, it looks like it originally came
> out of the user namespace work by Eric Biederman.
That's exactly where it came from. Eric submitted the patch 780a7654 to
fix the regression caused by e1760bd (userns: Convert the audit loginuid
to be a kuid) and its set of 9 patches that were part of a 41-patch set.
I notice Paul was Cc:-ed on that set...
I don't have the time to dig through my mail to see what all was
included in that patchset, but based on the git log that patch was
from April 2013 and I didn't become responsible for the audit code
until October 2014. I also don't see my Acked-by/Reviewed-by tag on
that commit so it is safe to say I was busy with other things at the
time. There are plenty of things you can blame me for, this ain't one
of 'em.
I had to work around the work
around when Steve reported the "f24=..." values.
I can accept that Steve doesn't want to add more ways of doing the same
thing, so I don't have an easy answer in terms of AUDIT_LOGINUID_SET
being exposed in the UAPI.
Since sessionid is a new field for filter specification (but not
reporting and searching), I blocked sessionid==-1 in the api for setting
filters. This unfortunately makes it a different way to specify it than
loginuid when it is not set.
We are not going to change the loginuid related mechanisms at this
point; they aren't causing any breakage, and I don't want to break the
existing kernel/user API without a good reason.
We haven't merged any of the session ID code into the kernel so
changes are still possible. The logic for supporting loginuid_set
(UID namespace issues) don't really apply to session IDs so I think we
can drop the sessionid_set part of the API and just use the -1
sentinel. If you are all still looking to blame somebody, you can all
blame me for suggesting session ID to Richard.
Richard, if we use -1 as a magic number for the session ID, we should
make sure we roll the session ID value assigned to new sessions before
we hit -1 in audit_set_loginuid(...).
--
paul moore
security @ redhat