On Mon, Jul 22, 2013 at 11:20:57AM +0800, Gao feng wrote:
On 07/20/2013 05:15 AM, Richard Guy Briggs wrote:
> On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote:
>> Hi, Richard
>>
>> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
>>> Convert audit from only listening in init_net to use
register_pernet_subsys()
>>> to dynamically manage the netlink socket list.
>>>
>>> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
>>> ---
>>
>> Right now audit still can't be used in uninit pid/user namespace,
>> Consider this, when user in uninit pid/user namespace is allowed
>> to setup/run audit subsystem, since the kernel thread always runs
>> in init pid namespace, so we can't get right net namespace through
>> get_net_ns_by_pid, The audit information will be sent to incorrect
>> net namespace by kernel thread.
>>
>> In my opinion, This patch is limited and nonextensile.
>>
>> Maybe you should check the patchset "[Part1 PATCH 00/22] Add namespace
support for audit"
>> I sent in 06/19/2013, In my solution, audit kernel side netlink sockets belongs
>> to user namespace, and the user space audit netlink sockets will find the audit
>> kernel socket through current_net_ns()->user_ns->audit.sock.
>
> I already looked at your 48-patch and 22-patch sets and the threads of
> comments. The concerns expressed in that thread haven't been fully
> addressed yet by you.
>
Sorry, I think I had addressed all the problems in thar thread, maybe I missed
some, please help me to point it out, fell free to keep on discussing with me
in that thread.
There are several branches to that thread that went unresolved. I
haven't seen a followup patchset that attempts to address them:
https://www.redhat.com/archives/linux-audit/2013-June/msg00046.html
https://www.redhat.com/archives/linux-audit/2013-June/msg00056.html
https://www.redhat.com/archives/linux-audit/2013-June/msg00048.html
https://www.redhat.com/archives/linux-audit/2013-June/msg00050.html
But coming back to Eric Paris' original response and subsequent example,
neither have been addressed adequately:
https://www.redhat.com/archives/linux-audit/2013-June/msg00035.html
https://www.redhat.com/archives/linux-audit/2013-June/msg00039.html
and neither has the concern about making LSPP certification impossible.
>> The "[PATCH 04/22] netlink: Add compare function for
netlink_table" of this patchset
>> has been merged in linux mainline. I think if you look at my patchset, you will
find
>> the [PATCH 03/22] and [PATCH 05/22] will achieve the same aim of your patch.
>
> I don't have any specific issues with patch 04/22.
>
> For patch 05/22, I would have just stopped with comparing the two net
> namespace pointers.
>
> As for patch 03/22...
>
> The init user namespace doesn't have a one-to-one mapping to network
> namespace, so this won't solve the problem I was trying to solve.
If your problem is auditctl is unavailable in uninit net namespace, I
think my solution can solve this problem, since two audit netlink sockets
can communicate with each other when the net namespaces they belong to are
created by the same user namespace.
I don't follow how this is possible.
Maybe I misunderstand what is your problem here.
> In the initial user namespace, I can have as many network namespaces as
> I want. I want kaudit to listen in all of them. There is already a
> conservative check to make sure that audit won't permit changes from
> any non-initial user namespace (or pid space):
> kernel/audit.c:583:audit_netlink_ok():
> if ((current_user_ns() != &init_user_ns) ||
> (task_active_pid_ns(current) != &init_pid_ns))
> return -EPERM;
> This check needs to be revisited to allow some loosening of this policy,
> but it was sound to start off too restrictive.
> (
https://bugzilla.redhat.com/show_bug.cgi?id=947530)
Yes, it was too restrictive, but I can't see what the help from this patch to
solve this problem.
It hasn't been solved yet. It is one of the next in line.
> The certification issues surrounding non-initial user namespaces
haven't
> been adequately resolved yet, not having yet seen a followup patchset,
> so we can combine these ideas once those issues have been addressed.
>
> I agree we will need to be careful how the specific target socket and
> portid are selected once we end up in other pid namespaces. For now,
> are there specific concerns with this patch or better ways to
> future-proof the selection of kaudit sockets and portids?
I my solution, even there are many net namespaces belong to the same user namespace,
there will only be one audit kernel side netlink socket, so all of the user space
audit netlink sockets in these net namespaces will find out/communicate with this
kernel audit socket.
I will need to go back and have a second look to see how this works.
and the kaudit sockets, portid belong to the user namespace,they are
the one and only
in each user namespace.
Do they not currently belong to the pid namespace?
Thanks
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545