Audit subsystem was disabled in total for user namespaces other than
the initial namespace.
If audit is enabled by kernel command line or audtid in initial namespace,
it is now possible to allow at least logging of userspace applications
inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
namespace is held.
This allows logging of, e.g., PAM or opensshd inside user namespaced
system containers.
Signed-off-by: Michael Weiß <michael.weiss(a)aisec.fraunhofer.de>
---
kernel/audit.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 121d37e700a6..b5cc0669c3d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
* userspace will reject all logins. This should be removed when we
* support non init namespaces!!
*/
- if (current_user_ns() != &init_user_ns)
+ /*
+ * If audit is enabled by kernel command line or audtid in the initial
+ * namespace allow at least logging of userspace applications inside of
+ * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
+ * corresponding namespace.
+ */
+ if ((current_user_ns() != &init_user_ns) && !audit_enabled)
return -ECONNREFUSED;
switch (msg_type) {
@@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
- if (!netlink_capable(skb, CAP_AUDIT_WRITE))
+ if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
err = -EPERM;
break;
default: /* bad msg */
--
2.20.1