Re: [PATCH RFC] audit: provide namespace information in user originated records
On Wed, Mar 20, 2013 at 03:01:32PM -0400, Eric Paris wrote:
[veering away from this particular patch]
We are also talking about adding a CAP_AUDIT_READ and sending messages
via multicast on the audit socket. The problem is I don't know how the
audit socket could work in the network namespace world. Right now
kauditd has:
audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg);
So there won't ever be anything on the kernel side of the audit socket
in a non-init network namespace. Lets say that is fixed somehow (I
assume it's possible? something? magic pixies?) I think we'd somehow
need to do the CAP_AUDIT_READ check against the user namespace
associated with the network namespace in question? But what messages
should go to this userspace auditd?
Going to have to have audit namespaces to. But only CAP_AUDIT_READ
would make sense in the new audit namespace...
I guess that could be achieved by forcing creating a new network namespace at
the same time you create a new audit namespace. any new network
namespace created inside this new container would lose CAP_AUDIT_*.
--
Aristeu