On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote:
Hi, Richard
On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
> Convert audit from only listening in init_net to use register_pernet_subsys()
> to dynamically manage the netlink socket list.
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
Right now audit still can't be used in uninit pid/user namespace,
Consider this, when user in uninit pid/user namespace is allowed
to setup/run audit subsystem, since the kernel thread always runs
in init pid namespace, so we can't get right net namespace through
get_net_ns_by_pid, The audit information will be sent to incorrect
net namespace by kernel thread.
In my opinion, This patch is limited and nonextensile.
Maybe you should check the patchset "[Part1 PATCH 00/22] Add namespace support for
audit"
I sent in 06/19/2013, In my solution, audit kernel side netlink sockets belongs
to user namespace, and the user space audit netlink sockets will find the audit
kernel socket through current_net_ns()->user_ns->audit.sock.
I already looked at your 48-patch and 22-patch sets and the threads of
comments. The concerns expressed in that thread haven't been fully
addressed yet by you.
The "[PATCH 04/22] netlink: Add compare function for
netlink_table" of this patchset
has been merged in linux mainline. I think if you look at my patchset, you will find
the [PATCH 03/22] and [PATCH 05/22] will achieve the same aim of your patch.
I don't have any specific issues with patch 04/22.
For patch 05/22, I would have just stopped with comparing the two net
namespace pointers.
As for patch 03/22...
The init user namespace doesn't have a one-to-one mapping to network
namespace, so this won't solve the problem I was trying to solve.
In the initial user namespace, I can have as many network namespaces as
I want. I want kaudit to listen in all of them. There is already a
conservative check to make sure that audit won't permit changes from
any non-initial user namespace (or pid space):
kernel/audit.c:583:audit_netlink_ok():
if ((current_user_ns() != &init_user_ns) ||
(task_active_pid_ns(current) != &init_pid_ns))
return -EPERM;
This check needs to be revisited to allow some loosening of this policy,
but it was sound to start off too restrictive.
(
https://bugzilla.redhat.com/show_bug.cgi?id=947530)
The certification issues surrounding non-initial user namespaces haven't
been adequately resolved yet, not having yet seen a followup patchset,
so we can combine these ideas once those issues have been addressed.
I agree we will need to be careful how the specific target socket and
portid are selected once we end up in other pid namespaces. For now,
are there specific concerns with this patch or better ways to
future-proof the selection of kaudit sockets and portids?
Thanks!
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545