On 07/20/2013 05:15 AM, Richard Guy Briggs wrote:
On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote:
> Hi, Richard
>
> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
>> Convert audit from only listening in init_net to use register_pernet_subsys()
>> to dynamically manage the netlink socket list.
>>
>> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
>> ---
>
> Right now audit still can't be used in uninit pid/user namespace,
> Consider this, when user in uninit pid/user namespace is allowed
> to setup/run audit subsystem, since the kernel thread always runs
> in init pid namespace, so we can't get right net namespace through
> get_net_ns_by_pid, The audit information will be sent to incorrect
> net namespace by kernel thread.
>
> In my opinion, This patch is limited and nonextensile.
>
> Maybe you should check the patchset "[Part1 PATCH 00/22] Add namespace support
for audit"
> I sent in 06/19/2013, In my solution, audit kernel side netlink sockets belongs
> to user namespace, and the user space audit netlink sockets will find the audit
> kernel socket through current_net_ns()->user_ns->audit.sock.
I already looked at your 48-patch and 22-patch sets and the threads of
comments. The concerns expressed in that thread haven't been fully
addressed yet by you.
Sorry, I think I had addressed all the problems in thar thread, maybe I missed
some, please help me to point it out, fell free to keep on discussing with me
in that thread.
> The "[PATCH 04/22] netlink: Add compare function for
netlink_table" of this patchset
> has been merged in linux mainline. I think if you look at my patchset, you will find
> the [PATCH 03/22] and [PATCH 05/22] will achieve the same aim of your patch.
I don't have any specific issues with patch 04/22.
For patch 05/22, I would have just stopped with comparing the two net
namespace pointers.
As for patch 03/22...
The init user namespace doesn't have a one-to-one mapping to network
namespace, so this won't solve the problem I was trying to solve.
If your problem is auditctl is unavailable in uninit net namespace, I
think my solution can solve this problem, since two audit netlink sockets
can communicate with each other when the net namespaces they belong to are
created by the same user namespace.
Maybe I misunderstand what is your problem here.
In the initial user namespace, I can have as many network namespaces
as
I want. I want kaudit to listen in all of them. There is already a
conservative check to make sure that audit won't permit changes from
any non-initial user namespace (or pid space):
kernel/audit.c:583:audit_netlink_ok():
if ((current_user_ns() != &init_user_ns) ||
(task_active_pid_ns(current) != &init_pid_ns))
return -EPERM;
This check needs to be revisited to allow some loosening of this policy,
but it was sound to start off too restrictive.
(
https://bugzilla.redhat.com/show_bug.cgi?id=947530)
Yes, it was too restrictive, but I can't see what the help from this patch to
solve this problem.
The certification issues surrounding non-initial user namespaces
haven't
been adequately resolved yet, not having yet seen a followup patchset,
so we can combine these ideas once those issues have been addressed.
I agree we will need to be careful how the specific target socket and
portid are selected once we end up in other pid namespaces. For now,
are there specific concerns with this patch or better ways to
future-proof the selection of kaudit sockets and portids?
I my solution, even there are many net namespaces belong to the same user namespace,
there will only be one audit kernel side netlink socket, so all of the user space
audit netlink sockets in these net namespaces will find out/communicate with this
kernel audit socket.
and the kaudit sockets, portid belong to the user namespace,they are the one and only
in each user namespace.
Thanks