Re: [PATCH] audit: listen in all network namespaces

On Mon, Jul 22, 2013 at 11:20:57AM +0800, Gao feng wrote: > On 07/20/2013 05:15 AM, Richard Guy Briggs wrote: >> On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote: >>> Hi, Richard >>> >>> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote: >>>> Convert audit from only listening in init_net to use register_pernet_subsys() >>>> to dynamically manage the netlink socket list. >>>> >>>> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; >>>> --- >>> >>> Right now audit still can't be used in uninit pid/user namespace, >>> Consider this, when user in uninit pid/user namespace is allowed >>> to setup/run audit subsystem, since the kernel thread always runs >>> in init pid namespace, so we can't get right net namespace through >>> get_net_ns_by_pid, The audit information will be sent to incorrect >>> net namespace by kernel thread. >>> >>> In my opinion, This patch is limited and nonextensile. >>> >>> Maybe you should check the patchset "[Part1 PATCH 00/22] Add namespace support for audit" >>> I sent in 06/19/2013, In my solution, audit kernel side netlink sockets belongs >>> to user namespace, and the user space audit netlink sockets will find the audit >>> kernel socket through current_net_ns()->user_ns->audit.sock. >> >> I already looked at your 48-patch and 22-patch sets and the threads of >> comments. The concerns expressed in that thread haven't been fully >> addressed yet by you. >> > > Sorry, I think I had addressed all the problems in thar thread, maybe I missed > some, please help me to point it out, fell free to keep on discussing with me > in that thread. There are several branches to that thread that went unresolved. I haven't seen a followup patchset that attempts to address them: https://www.redhat.com/archives/linux-audit/2013-June/msg00046.html https://www.redhat.com/archives/linux-audit/2013-June/msg00056.html https://www.redhat.com/archives/linux-audit/2013-June/msg00048.html https://www.redhat.com/archives/linux-audit/2013-June/msg00050.html But coming back to Eric Paris' original response and subsequent example, neither have been addressed adequately: https://www.redhat.com/archives/linux-audit/2013-June/msg00035.html https://www.redhat.com/archives/linux-audit/2013-June/msg00039.html and neither has the concern about making LSPP certification impossible.

>>> The "[PATCH 04/22] netlink: Add compare function for netlink_table" of this patchset >>> has been merged in linux mainline. I think if you look at my patchset, you will find >>> the [PATCH 03/22] and [PATCH 05/22] will achieve the same aim of your patch. >> >> I don't have any specific issues with patch 04/22. >> >> For patch 05/22, I would have just stopped with comparing the two net >> namespace pointers. >> >> As for patch 03/22... >> >> The init user namespace doesn't have a one-to-one mapping to network >> namespace, so this won't solve the problem I was trying to solve. > > If your problem is auditctl is unavailable in uninit net namespace, I > think my solution can solve this problem, since two audit netlink sockets > can communicate with each other when the net namespaces they belong to are > created by the same user namespace. I don't follow how this is possible. > Maybe I misunderstand what is your problem here. > >> In the initial user namespace, I can have as many network namespaces as >> I want. I want kaudit to listen in all of them. There is already a >> conservative check to make sure that audit won't permit changes from >> any non-initial user namespace (or pid space): >> kernel/audit.c:583:audit_netlink_ok(): >> if ((current_user_ns() != &init_user_ns) || >> (task_active_pid_ns(current) != &init_pid_ns)) >> return -EPERM; >> This check needs to be revisited to allow some loosening of this policy, >> but it was sound to start off too restrictive. >> (https://bugzilla.redhat.com/show_bug.cgi?id=947530) > > Yes, it was too restrictive, but I can't see what the help from this patch to > solve this problem. It hasn't been solved yet. It is one of the next in line.

>> The certification issues surrounding non-initial user namespaces haven't >> been adequately resolved yet, not having yet seen a followup patchset, >> so we can combine these ideas once those issues have been addressed. >> >> I agree we will need to be careful how the specific target socket and >> portid are selected once we end up in other pid namespaces. For now, >> are there specific concerns with this patch or better ways to >> future-proof the selection of kaudit sockets and portids? > > I my solution, even there are many net namespaces belong to the same user namespace, > there will only be one audit kernel side netlink socket, so all of the user space > audit netlink sockets in these net namespaces will find out/communicate with this > kernel audit socket. I will need to go back and have a second look to see how this works. > and the kaudit sockets, portid belong to the user namespace,they are the one and only > in each user namespace. Do they not currently belong to the pid namespace?