9:20 p.m.
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Gao feng (48):
Audit: make audit kernel side netlink sock per userns
netlink: Add compare function for netlink_table
Audit: implement audit self-defined compare function
Audit: make audit_skb_queue per user namespace
Audit: make audit_skb_hold_queue per user namespace
Audit: make kauditd_task per user namespace
Audit: make audit_pid per user namespace
Audit: make audit_nlk_portid per user namesapce
Audit: make audit_enabled per user namespace
Audit: change type of audit_ever_enabled to bool
Audit: make audit_ever_enabled per user namespace
Audit: make audit_initialized per user namespace
Audit: only allow init user namespace to change audit_rate_limit
Audit: only allow init user namespace to change audit_failure
Audit: allow to send netlink message to auditd in uninit user
namespace
Audit: user proper user namespace in audit_log_config_change
Audit: make kauditd_wait per user namespace
Audit: make audit_backlog_wait per user namespace
Audit: remove duplicate comments
Audit: introduce new audit logging interface for user namespace
Audit: pass proper user namespace to audit_log_common_recv_msg
Audit: Log audit config change in uninit user namespace
Audit: netfilter: Log xt table replace behavior in proper user
namespace
Audit: xt_AUDIT: Log audit message in proper user namespace
Audit: send reply message to the auditd in proper user namespace
Audit: make audit_inode_hash per user namespace
Audit: make tree_list per user namespace
Audit: make audit filter list per user namespace
Audit: make audit_krule belongs to user namespace
Audit: reply audit filter list request to proper user namespace
Audit: pass proper user namespace to audit_filter_syscall
Audit: pass proper user namespace to audit_filter_inode_name
Audit: Log filter related audit message to proper user namespace
Log audit tree related message in proper user namespace
Audit: Log task related audit message to proper user namespace
Audit: Log watch related audit message to proper user namespace
Audit: translate audit_log_start to audit_log_start_ns
Audit: tty: translate audit_log_start to audit_log_start_ns
Audit: netlabel: translate audit_log_start to audit_log_start_ns
Audit: ima: translate audit_log_start to audit_log_start_ns
Audit: lsm: translate audit_log_start to audit_log_start_ns
Audit: selinux: translate audit_log_start to audit_log_start_ns
Audit: xfrm: translate audit_log_start to audit_log_start_ns
Audit: rename audit_log_start_ns to audit_log_start
Audit: user audit_enabled_ns to replace audit_enabled
Audit: rename audit_enabled_ns to audit_enabled
Audit: make audit_log user namespace awared
Audit: allow root user of un-init user namespace to set audit
drivers/tty/tty_audit.c | 9 +-
include/linux/audit.h | 44 ++--
include/linux/netlink.h | 1 +
include/linux/user_namespace.h | 25 +++
include/net/xfrm.h | 7 +-
kernel/audit.c | 393 +++++++++++++++++++++---------------
kernel/audit.h | 24 +--
kernel/audit_tree.c | 49 ++---
kernel/audit_watch.c | 23 ++-
kernel/auditfilter.c | 76 +++----
kernel/auditsc.c | 156 ++++++++------
kernel/user.c | 19 ++
kernel/user_namespace.c | 3 +
net/core/dev.c | 12 +-
net/ipv4/cipso_ipv4.c | 4 +-
net/netfilter/x_tables.c | 9 +-
net/netfilter/xt_AUDIT.c | 8 +-
net/netlabel/netlabel_domainhash.c | 4 +-
net/netlabel/netlabel_unlabeled.c | 8 +-
net/netlabel/netlabel_user.c | 8 +-
net/netlink/af_netlink.c | 26 ++-
net/netlink/af_netlink.h | 1 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_state.c | 14 +-
security/apparmor/lib.c | 2 +-
security/integrity/ima/ima_api.c | 5 +-
security/integrity/ima/ima_audit.c | 11 +-
security/integrity/ima/ima_policy.c | 5 +-
security/lsm_audit.c | 8 +-
security/selinux/avc.c | 3 +-
security/selinux/hooks.c | 17 +-
security/selinux/selinuxfs.c | 9 +-
security/selinux/ss/services.c | 30 ++-
security/smack/smack_lsm.c | 3 +-
34 files changed, 630 insertions(+), 390 deletions(-)
--
1.8.1.4
11:55 a.m.
What kernel are these patches against?
On Tue, 2013-05-07 at 10:20 +0800, Gao feng wrote:
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Gao feng (48):
Audit: make audit kernel side netlink sock per userns
netlink: Add compare function for netlink_table
Audit: implement audit self-defined compare function
Audit: make audit_skb_queue per user namespace
Audit: make audit_skb_hold_queue per user namespace
Audit: make kauditd_task per user namespace
Audit: make audit_pid per user namespace
Audit: make audit_nlk_portid per user namesapce
Audit: make audit_enabled per user namespace
Audit: change type of audit_ever_enabled to bool
Audit: make audit_ever_enabled per user namespace
Audit: make audit_initialized per user namespace
Audit: only allow init user namespace to change audit_rate_limit
Audit: only allow init user namespace to change audit_failure
Audit: allow to send netlink message to auditd in uninit user
namespace
Audit: user proper user namespace in audit_log_config_change
Audit: make kauditd_wait per user namespace
Audit: make audit_backlog_wait per user namespace
Audit: remove duplicate comments
Audit: introduce new audit logging interface for user namespace
Audit: pass proper user namespace to audit_log_common_recv_msg
Audit: Log audit config change in uninit user namespace
Audit: netfilter: Log xt table replace behavior in proper user
namespace
Audit: xt_AUDIT: Log audit message in proper user namespace
Audit: send reply message to the auditd in proper user namespace
Audit: make audit_inode_hash per user namespace
Audit: make tree_list per user namespace
Audit: make audit filter list per user namespace
Audit: make audit_krule belongs to user namespace
Audit: reply audit filter list request to proper user namespace
Audit: pass proper user namespace to audit_filter_syscall
Audit: pass proper user namespace to audit_filter_inode_name
Audit: Log filter related audit message to proper user namespace
Log audit tree related message in proper user namespace
Audit: Log task related audit message to proper user namespace
Audit: Log watch related audit message to proper user namespace
Audit: translate audit_log_start to audit_log_start_ns
Audit: tty: translate audit_log_start to audit_log_start_ns
Audit: netlabel: translate audit_log_start to audit_log_start_ns
Audit: ima: translate audit_log_start to audit_log_start_ns
Audit: lsm: translate audit_log_start to audit_log_start_ns
Audit: selinux: translate audit_log_start to audit_log_start_ns
Audit: xfrm: translate audit_log_start to audit_log_start_ns
Audit: rename audit_log_start_ns to audit_log_start
Audit: user audit_enabled_ns to replace audit_enabled
Audit: rename audit_enabled_ns to audit_enabled
Audit: make audit_log user namespace awared
Audit: allow root user of un-init user namespace to set audit
drivers/tty/tty_audit.c | 9 +-
include/linux/audit.h | 44 ++--
include/linux/netlink.h | 1 +
include/linux/user_namespace.h | 25 +++
include/net/xfrm.h | 7 +-
kernel/audit.c | 393 +++++++++++++++++++++---------------
kernel/audit.h | 24 +--
kernel/audit_tree.c | 49 ++---
kernel/audit_watch.c | 23 ++-
kernel/auditfilter.c | 76 +++----
kernel/auditsc.c | 156 ++++++++------
kernel/user.c | 19 ++
kernel/user_namespace.c | 3 +
net/core/dev.c | 12 +-
net/ipv4/cipso_ipv4.c | 4 +-
net/netfilter/x_tables.c | 9 +-
net/netfilter/xt_AUDIT.c | 8 +-
net/netlabel/netlabel_domainhash.c | 4 +-
net/netlabel/netlabel_unlabeled.c | 8 +-
net/netlabel/netlabel_user.c | 8 +-
net/netlink/af_netlink.c | 26 ++-
net/netlink/af_netlink.h | 1 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_state.c | 14 +-
security/apparmor/lib.c | 2 +-
security/integrity/ima/ima_api.c | 5 +-
security/integrity/ima/ima_audit.c | 11 +-
security/integrity/ima/ima_policy.c | 5 +-
security/lsm_audit.c | 8 +-
security/selinux/avc.c | 3 +-
security/selinux/hooks.c | 17 +-
security/selinux/selinuxfs.c | 9 +-
security/selinux/ss/services.c | 30 ++-
security/smack/smack_lsm.c | 3 +-
34 files changed, 630 insertions(+), 390 deletions(-)
8:13 p.m.
On 05/09/2013 12:55 AM, Eric Paris wrote:
What kernel are these patches against?
This patchset is based on linus's tree.
The last commit is d7ab7302f970a254997687a1cdede421a5635c68
(Merge tag 'mfd-3.10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/same)
Thanks
Gao
4:15 a.m.
On 05/07/2013 10:20 AM, Gao feng wrote:
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Half of month passed, Can anybody give me some comments or advice or even
an ACK?
I think the key point is the first 3 patch. these patches add a compare
function per netlink_table, netlink sockets use this compare function to
decide if they can communicate with each other. For other netlink protocols
we use net namespace to make this decision. But for audit netlink protocol,
we use user namespace to make the decision. It means, for audit netlink sockets,
they can communicate when they in same user namespace and there is no need
for them to stay in same net namespace.
I don't know if anyone object to this and if there is a better solution.
Eric, Serge & David, can you give me some comments?
Thanks!
Gao feng (48):
Audit: make audit kernel side netlink sock per userns
netlink: Add compare function for netlink_table
Audit: implement audit self-defined compare function
Audit: make audit_skb_queue per user namespace
Audit: make audit_skb_hold_queue per user namespace
Audit: make kauditd_task per user namespace
Audit: make audit_pid per user namespace
Audit: make audit_nlk_portid per user namesapce
Audit: make audit_enabled per user namespace
Audit: change type of audit_ever_enabled to bool
Audit: make audit_ever_enabled per user namespace
Audit: make audit_initialized per user namespace
Audit: only allow init user namespace to change audit_rate_limit
Audit: only allow init user namespace to change audit_failure
Audit: allow to send netlink message to auditd in uninit user
namespace
Audit: user proper user namespace in audit_log_config_change
Audit: make kauditd_wait per user namespace
Audit: make audit_backlog_wait per user namespace
Audit: remove duplicate comments
Audit: introduce new audit logging interface for user namespace
Audit: pass proper user namespace to audit_log_common_recv_msg
Audit: Log audit config change in uninit user namespace
Audit: netfilter: Log xt table replace behavior in proper user
namespace
Audit: xt_AUDIT: Log audit message in proper user namespace
Audit: send reply message to the auditd in proper user namespace
Audit: make audit_inode_hash per user namespace
Audit: make tree_list per user namespace
Audit: make audit filter list per user namespace
Audit: make audit_krule belongs to user namespace
Audit: reply audit filter list request to proper user namespace
Audit: pass proper user namespace to audit_filter_syscall
Audit: pass proper user namespace to audit_filter_inode_name
Audit: Log filter related audit message to proper user namespace
Log audit tree related message in proper user namespace
Audit: Log task related audit message to proper user namespace
Audit: Log watch related audit message to proper user namespace
Audit: translate audit_log_start to audit_log_start_ns
Audit: tty: translate audit_log_start to audit_log_start_ns
Audit: netlabel: translate audit_log_start to audit_log_start_ns
Audit: ima: translate audit_log_start to audit_log_start_ns
Audit: lsm: translate audit_log_start to audit_log_start_ns
Audit: selinux: translate audit_log_start to audit_log_start_ns
Audit: xfrm: translate audit_log_start to audit_log_start_ns
Audit: rename audit_log_start_ns to audit_log_start
Audit: user audit_enabled_ns to replace audit_enabled
Audit: rename audit_enabled_ns to audit_enabled
Audit: make audit_log user namespace awared
Audit: allow root user of un-init user namespace to set audit
drivers/tty/tty_audit.c | 9 +-
include/linux/audit.h | 44 ++--
include/linux/netlink.h | 1 +
include/linux/user_namespace.h | 25 +++
include/net/xfrm.h | 7 +-
kernel/audit.c | 393 +++++++++++++++++++++---------------
kernel/audit.h | 24 +--
kernel/audit_tree.c | 49 ++---
kernel/audit_watch.c | 23 ++-
kernel/auditfilter.c | 76 +++----
kernel/auditsc.c | 156 ++++++++------
kernel/user.c | 19 ++
kernel/user_namespace.c | 3 +
net/core/dev.c | 12 +-
net/ipv4/cipso_ipv4.c | 4 +-
net/netfilter/x_tables.c | 9 +-
net/netfilter/xt_AUDIT.c | 8 +-
net/netlabel/netlabel_domainhash.c | 4 +-
net/netlabel/netlabel_unlabeled.c | 8 +-
net/netlabel/netlabel_user.c | 8 +-
net/netlink/af_netlink.c | 26 ++-
net/netlink/af_netlink.h | 1 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_state.c | 14 +-
security/apparmor/lib.c | 2 +-
security/integrity/ima/ima_api.c | 5 +-
security/integrity/ima/ima_audit.c | 11 +-
security/integrity/ima/ima_policy.c | 5 +-
security/lsm_audit.c | 8 +-
security/selinux/avc.c | 3 +-
security/selinux/hooks.c | 17 +-
security/selinux/selinuxfs.c | 9 +-
security/selinux/ss/services.c | 30 ++-
security/smack/smack_lsm.c | 3 +-
34 files changed, 630 insertions(+), 390 deletions(-)
4:52 p.m.
Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
On 05/07/2013 10:20 AM, Gao feng wrote:
> This patchset try to add namespace support for audit.
>
> I choose to assign audit to the user namespace.
> Right now,there are six kinds of namespaces, such as
> net, mount, ipc, pid, uts and user. the first five
> namespaces have special usage. the audit isn't suitable to
> belong to these five namespaces, so the user namespace
> may be the best choice.
>
> Through I decide to make audit related resources per user
> namespace, but audit uses netlink to communicate between kernel
> space and user space, and the netlink is a private resource
> of per net namespace. So we need the capability to allow the
> netlink sockets to communicate with each other in the same user
> namespace even they are in different net namespace. [PATCH 2/48]
> does this job, it adds a new function "compare" for per netlink
> table to compare two sockets. it means the netlink protocols can
> has its own compare fuction, For other protocols, two netlink
> sockets are different if they belong to the different net namespace.
> For audit protocol, two sockets can be the same even they in different
> net namespace,we use user namespace not net namespace to make the
> decision.
>
> There is one point that some people may dislike,in [PATCH 1/48],
> the kernel side audit netlink socket is created only when we create
> the first netns for the userns, and this userns will hold the netns
> until we destroy this userns.
>
> The other patches just make the audit related resources per
> user namespace.
>
> This patchset is sent as an RFC,any comments are welcome.
Hi,
thanks for sending this. I think you need to ping the selinux folks
for comment though. It appears to me that, after this patchset, the
kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
the selinux-generated audit messages do not always go to init_user_ns.
Additionally, the only type of namespacing selinux wants is where it
is enforced by policy compiler and installer using typenames - i.e.
'container1.user_t' vs 'user_t'. Selinux does not want user namespaces
to affect selinux enforcement at all. (at least last I knew, several
years ago at a mini-summit, I believe this was from Stephen Smalley).
I think it's good to have userspace-generated audit messages (i.e.
auditctl -m 'hi there') sent to the same user namespace. But the
selinux messages, near as I can tell, need to all go to init_user_ns.
thanks,
-serge
5:47 p.m.
Quoting Serge Hallyn (serge.hallyn(a)ubuntu.com):
Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
> On 05/07/2013 10:20 AM, Gao feng wrote:
> > This patchset try to add namespace support for audit.
> >
> > I choose to assign audit to the user namespace.
> > Right now,there are six kinds of namespaces, such as
> > net, mount, ipc, pid, uts and user. the first five
> > namespaces have special usage. the audit isn't suitable to
> > belong to these five namespaces, so the user namespace
> > may be the best choice.
> >
> > Through I decide to make audit related resources per user
> > namespace, but audit uses netlink to communicate between kernel
> > space and user space, and the netlink is a private resource
> > of per net namespace. So we need the capability to allow the
> > netlink sockets to communicate with each other in the same user
> > namespace even they are in different net namespace. [PATCH 2/48]
> > does this job, it adds a new function "compare" for per netlink
> > table to compare two sockets. it means the netlink protocols can
> > has its own compare fuction, For other protocols, two netlink
> > sockets are different if they belong to the different net namespace.
> > For audit protocol, two sockets can be the same even they in different
> > net namespace,we use user namespace not net namespace to make the
> > decision.
> >
> > There is one point that some people may dislike,in [PATCH 1/48],
> > the kernel side audit netlink socket is created only when we create
> > the first netns for the userns, and this userns will hold the netns
> > until we destroy this userns.
> >
> > The other patches just make the audit related resources per
> > user namespace.
> >
> > This patchset is sent as an RFC,any comments are welcome.
Hi,
thanks for sending this. I think you need to ping the selinux folks
for comment though. It appears to me that, after this patchset, the
kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
the selinux-generated audit messages do not always go to init_user_ns.
Additionally, the only type of namespacing selinux wants is where it
is enforced by policy compiler and installer using typenames - i.e.
'container1.user_t' vs 'user_t'. Selinux does not want user namespaces
to affect selinux enforcement at all. (at least last I knew, several
years ago at a mini-summit, I believe this was from Stephen Smalley).
That sort of sounds like I'm distancing myself from that, which I
don't mean to do. I agree with the decison: MAC (selinux, apparmor
and smack) should not be confuddled by user namespaces. (posix caps
are, as always, a bit different).
I think it's good to have userspace-generated audit messages
(i.e.
auditctl -m 'hi there') sent to the same user namespace. But the
selinux messages, near as I can tell, need to all go to init_user_ns.
thanks,
-serge
_______________________________________________
Containers mailing list
Containers(a)lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
8:54 p.m.
On 06/07/2013 06:47 AM, Serge Hallyn wrote:
Quoting Serge Hallyn (serge.hallyn(a)ubuntu.com):
> Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
>> On 05/07/2013 10:20 AM, Gao feng wrote:
>>> This patchset try to add namespace support for audit.
>>>
>>> I choose to assign audit to the user namespace.
>>> Right now,there are six kinds of namespaces, such as
>>> net, mount, ipc, pid, uts and user. the first five
>>> namespaces have special usage. the audit isn't suitable to
>>> belong to these five namespaces, so the user namespace
>>> may be the best choice.
>>>
>>> Through I decide to make audit related resources per user
>>> namespace, but audit uses netlink to communicate between kernel
>>> space and user space, and the netlink is a private resource
>>> of per net namespace. So we need the capability to allow the
>>> netlink sockets to communicate with each other in the same user
>>> namespace even they are in different net namespace. [PATCH 2/48]
>>> does this job, it adds a new function "compare" for per netlink
>>> table to compare two sockets. it means the netlink protocols can
>>> has its own compare fuction, For other protocols, two netlink
>>> sockets are different if they belong to the different net namespace.
>>> For audit protocol, two sockets can be the same even they in different
>>> net namespace,we use user namespace not net namespace to make the
>>> decision.
>>>
>>> There is one point that some people may dislike,in [PATCH 1/48],
>>> the kernel side audit netlink socket is created only when we create
>>> the first netns for the userns, and this userns will hold the netns
>>> until we destroy this userns.
>>>
>>> The other patches just make the audit related resources per
>>> user namespace.
>>>
>>> This patchset is sent as an RFC,any comments are welcome.
>
> Hi,
>
> thanks for sending this. I think you need to ping the selinux folks
> for comment though. It appears to me that, after this patchset, the
> kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
> the selinux-generated audit messages do not always go to init_user_ns.
>
> Additionally, the only type of namespacing selinux wants is where it
> is enforced by policy compiler and installer using typenames - i.e.
> 'container1.user_t' vs 'user_t'. Selinux does not want user
namespaces
> to affect selinux enforcement at all. (at least last I knew, several
> years ago at a mini-summit, I believe this was from Stephen Smalley).
That sort of sounds like I'm distancing myself from that, which I
don't mean to do. I agree with the decison: MAC (selinux, apparmor
and smack) should not be confuddled by user namespaces. (posix caps
are, as always, a bit different).
Thanks for your comments!
Very useful information, it sounds reasonable.
Let's just drop those patches.
Thanks,
Gao
> I think it's good to have userspace-generated audit messages (i.e.
> auditctl -m 'hi there') sent to the same user namespace. But the
> selinux messages, near as I can tell, need to all go to init_user_ns.
>
> thanks,
> -serge
> _______________________________________________
> Containers mailing list
> Containers(a)lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
4:24 p.m.
Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
On 06/07/2013 06:47 AM, Serge Hallyn wrote:
> Quoting Serge Hallyn (serge.hallyn(a)ubuntu.com):
>> Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
>>> On 05/07/2013 10:20 AM, Gao feng wrote:
>>>> This patchset try to add namespace support for audit.
>>>>
>>>> I choose to assign audit to the user namespace.
>>>> Right now,there are six kinds of namespaces, such as
>>>> net, mount, ipc, pid, uts and user. the first five
>>>> namespaces have special usage. the audit isn't suitable to
>>>> belong to these five namespaces, so the user namespace
>>>> may be the best choice.
>>>>
>>>> Through I decide to make audit related resources per user
>>>> namespace, but audit uses netlink to communicate between kernel
>>>> space and user space, and the netlink is a private resource
>>>> of per net namespace. So we need the capability to allow the
>>>> netlink sockets to communicate with each other in the same user
>>>> namespace even they are in different net namespace. [PATCH 2/48]
>>>> does this job, it adds a new function "compare" for per
netlink
>>>> table to compare two sockets. it means the netlink protocols can
>>>> has its own compare fuction, For other protocols, two netlink
>>>> sockets are different if they belong to the different net namespace.
>>>> For audit protocol, two sockets can be the same even they in different
>>>> net namespace,we use user namespace not net namespace to make the
>>>> decision.
>>>>
>>>> There is one point that some people may dislike,in [PATCH 1/48],
>>>> the kernel side audit netlink socket is created only when we create
>>>> the first netns for the userns, and this userns will hold the netns
>>>> until we destroy this userns.
>>>>
>>>> The other patches just make the audit related resources per
>>>> user namespace.
>>>>
>>>> This patchset is sent as an RFC,any comments are welcome.
>>
>> Hi,
>>
>> thanks for sending this. I think you need to ping the selinux folks
>> for comment though. It appears to me that, after this patchset, the
>> kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
>> the selinux-generated audit messages do not always go to init_user_ns.
>>
>> Additionally, the only type of namespacing selinux wants is where it
>> is enforced by policy compiler and installer using typenames - i.e.
>> 'container1.user_t' vs 'user_t'. Selinux does not want user
namespaces
>> to affect selinux enforcement at all. (at least last I knew, several
>> years ago at a mini-summit, I believe this was from Stephen Smalley).
>
> That sort of sounds like I'm distancing myself from that, which I
> don't mean to do. I agree with the decison: MAC (selinux, apparmor
> and smack) should not be confuddled by user namespaces. (posix caps
> are, as always, a bit different).
Thanks for your comments!
Very useful information, it sounds reasonable.
Let's just drop those patches.
Hi Gao,
proceeding then,
The netfilter related changes I think make sense. They log to the userns
which owns the netns in question, which seems right.
However looking at Audit-tty-translate-audit_log_start-to-audit_log_sta.patch,
it appears to log to the userns of the task which is doing the operation.
Keeping in mind that an unprivileged user can create a new user namespace,
this doesn't seem right.
Also, you are introducing per-userns syscall filter. It looks like I
can then create a new userns to escape my existing syscall filter, since
the filters up the user_ns parent chain are not being applied. Is that
correct?
Did you have a particular rationale written out for what precisely you're
wanting to make per-userns? That would be helpful in trying to figure
out which bits are appropriate. Again I so far haven't seen a single
problem with the code itself, it's just a question of which bits we
actually want (and are safe).
-serge
12:59 a.m.
On 06/11/2013 05:24 AM, Serge E. Hallyn wrote:
Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
> On 06/07/2013 06:47 AM, Serge Hallyn wrote:
>> Quoting Serge Hallyn (serge.hallyn(a)ubuntu.com):
>>> Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
>>>> On 05/07/2013 10:20 AM, Gao feng wrote:
>>>>> This patchset try to add namespace support for audit.
>>>>>
>>>>> I choose to assign audit to the user namespace.
>>>>> Right now,there are six kinds of namespaces, such as
>>>>> net, mount, ipc, pid, uts and user. the first five
>>>>> namespaces have special usage. the audit isn't suitable to
>>>>> belong to these five namespaces, so the user namespace
>>>>> may be the best choice.
>>>>>
>>>>> Through I decide to make audit related resources per user
>>>>> namespace, but audit uses netlink to communicate between kernel
>>>>> space and user space, and the netlink is a private resource
>>>>> of per net namespace. So we need the capability to allow the
>>>>> netlink sockets to communicate with each other in the same user
>>>>> namespace even they are in different net namespace. [PATCH 2/48]
>>>>> does this job, it adds a new function "compare" for per
netlink
>>>>> table to compare two sockets. it means the netlink protocols can
>>>>> has its own compare fuction, For other protocols, two netlink
>>>>> sockets are different if they belong to the different net namespace.
>>>>> For audit protocol, two sockets can be the same even they in
different
>>>>> net namespace,we use user namespace not net namespace to make the
>>>>> decision.
>>>>>
>>>>> There is one point that some people may dislike,in [PATCH 1/48],
>>>>> the kernel side audit netlink socket is created only when we create
>>>>> the first netns for the userns, and this userns will hold the netns
>>>>> until we destroy this userns.
>>>>>
>>>>> The other patches just make the audit related resources per
>>>>> user namespace.
>>>>>
>>>>> This patchset is sent as an RFC,any comments are welcome.
>>>
>>> Hi,
>>>
>>> thanks for sending this. I think you need to ping the selinux folks
>>> for comment though. It appears to me that, after this patchset, the
>>> kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
>>> the selinux-generated audit messages do not always go to init_user_ns.
>>>
>>> Additionally, the only type of namespacing selinux wants is where it
>>> is enforced by policy compiler and installer using typenames - i.e.
>>> 'container1.user_t' vs 'user_t'. Selinux does not want user
namespaces
>>> to affect selinux enforcement at all. (at least last I knew, several
>>> years ago at a mini-summit, I believe this was from Stephen Smalley).
>>
>> That sort of sounds like I'm distancing myself from that, which I
>> don't mean to do. I agree with the decison: MAC (selinux, apparmor
>> and smack) should not be confuddled by user namespaces. (posix caps
>> are, as always, a bit different).
>
>
> Thanks for your comments!
>
> Very useful information, it sounds reasonable.
>
> Let's just drop those patches.
>
Hi Gao,
proceeding then,
The netfilter related changes I think make sense. They log to the userns
which owns the netns in question, which seems right.
However looking at Audit-tty-translate-audit_log_start-to-audit_log_sta.patch,
it appears to log to the userns of the task which is doing the operation.
Keeping in mind that an unprivileged user can create a new user namespace,
this doesn't seem right.
Also, you are introducing per-userns syscall filter. It looks like I
can then create a new userns to escape my existing syscall filter, since
the filters up the user_ns parent chain are not being applied. Is that
correct?
Hi Serge,
I admit that the global resources related audit message should be logged to
parent and ancestor. but this is more complex than the way I implemented.
Because we should send message to all ancestor and we should consider not
to exceed the rate_limit of all ancestor.
I prefer to don't make these filters/rules per user namespace right now.
Did you have a particular rationale written out for what precisely you're
wanting to make per-userns? That would be helpful in trying to figure
out which bits are appropriate. Again I so far haven't seen a single
problem with the code itself, it's just a question of which bits we
actually want (and are safe).
In my option, the audit rules(inode, tree_list, filter) , some of audit
controller related resources(enabled,pid,portid...) and skb queue, audit
netlink sockets,kauditd thread should be per-userns. The audit user message
which generated by the user in container should be per-userns too.
Since netns is not implemented as a hierarchy, and the network related
resources are not global. so network related audit message should be per-userns too.
The security related audit message should be send to init user namespace
as we discussed before. Maybe tty related audit message should be send
to init user namespace too, I have no idea now.
The next step, I will post a new patchset which only make the audit user
message and the basic audit resource per userns. I think this patchset
will easy to be reviewed and accepted, And will not influence the host.
This patchset contains the below patches:
Gao feng (21):
Audit: make audit kernel side netlink sock per userns
netlink: Add compare function for netlink_table
Audit: implement audit self-defined compare function
Audit: make audit_skb_queue per user namespace
Audit: make audit_skb_hold_queue per user namespace
Audit: make kauditd_task per user namespace
Audit: make audit_pid per user namespace
Audit: make audit_nlk_portid per user namesapce
Audit: make audit_enabled per user namespace
Audit: make audit_ever_enabled per user namespace
Audit: make audit_initialized per user namespace
Audit: only allow init user namespace to change rate limit
Audit: only allow init user namespace to change audit_failure
Audit: allow to send netlink message to auditd in uninit user
namespace
Audit: make kauditd_wait per user namespace
Audit: make audit_backlog_wait per user namespace
Audit: introduce new audit logging interface for user namespace
Audit: pass proper user namespace to audit_log_common_recv_msg
Audit: Log audit config change in uninit user namespace
Audit: send reply message to the auditd in proper user namespace
Audit: Allow GET,SET,USER MSG operations in uninit user namespace
include/linux/audit.h | 39 +++-
include/linux/netlink.h | 1 +
include/linux/user_namespace.h | 33 +++-
kernel/audit.c | 422 ++++++++++++++++++++++++++---------------
kernel/audit.h | 5 +-
kernel/auditsc.c | 11 +-
kernel/user_namespace.c | 3 +
net/netlink/af_netlink.c | 32 +++-
net/netlink/af_netlink.h | 1 +
9 files changed, 369 insertions(+), 178 deletions(-)
Do you have any comments or advice to this plan? After the above patchs
been accepted, I think it's easy to push other audit namespace related
patches into upstream.
Thanks,
Gao
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
8:49 a.m.
On Tue, 2013-06-11 at 13:59 +0800, Gao feng wrote:
On 06/11/2013 05:24 AM, Serge E. Hallyn wrote:
> Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
>> On 06/07/2013 06:47 AM, Serge Hallyn wrote:
>>> Quoting Serge Hallyn (serge.hallyn(a)ubuntu.com):
>>>> Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
>>>>> On 05/07/2013 10:20 AM, Gao feng wrote:
In my option, the audit rules(inode, tree_list, filter) , some of
audit
controller related resources(enabled,pid,portid...) and skb queue, audit
netlink sockets,kauditd thread should be per-userns. The audit user message
which generated by the user in container should be per-userns too.
Since netns is not implemented as a hierarchy, and the network related
resources are not global. so network related audit message should be per-userns too.
The security related audit message should be send to init user namespace
as we discussed before. Maybe tty related audit message should be send
to init user namespace too, I have no idea now.
The next step, I will post a new patchset which only make the audit user
message and the basic audit resource per userns. I think this patchset
will easy to be reviewed and accepted, And will not influence the host.
This patchset contains the below patches:
I think this would be easier for us do from a certification and
doumentation PoV if we had an audit namespace, not tied to the user
namespace. creating a new audit namespace should require
CAP_AUDIT_CONTROL in the user namespace which created the current audit
namespace.
Does that make sense? I don't mind messages staying completely inside
the current namespace, but that means we can't give unpriv users (even
if they have priv in their user namespace) a new audit namespace...
9:15 a.m.
Quoting Eric Paris (eparis(a)redhat.com):
On Tue, 2013-06-11 at 13:59 +0800, Gao feng wrote:
> On 06/11/2013 05:24 AM, Serge E. Hallyn wrote:
> > Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
> >> On 06/07/2013 06:47 AM, Serge Hallyn wrote:
> >>> Quoting Serge Hallyn (serge.hallyn(a)ubuntu.com):
> >>>> Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
> >>>>> On 05/07/2013 10:20 AM, Gao feng wrote:
> In my option, the audit rules(inode, tree_list, filter) , some of audit
> controller related resources(enabled,pid,portid...) and skb queue, audit
> netlink sockets,kauditd thread should be per-userns. The audit user message
> which generated by the user in container should be per-userns too.
>
> Since netns is not implemented as a hierarchy, and the network related
> resources are not global. so network related audit message should be per-userns
too.
>
> The security related audit message should be send to init user namespace
> as we discussed before. Maybe tty related audit message should be send
> to init user namespace too, I have no idea now.
>
> The next step, I will post a new patchset which only make the audit user
> message and the basic audit resource per userns. I think this patchset
> will easy to be reviewed and accepted, And will not influence the host.
> This patchset contains the below patches:
I think this would be easier for us do from a certification and
doumentation PoV if we had an audit namespace, not tied to the user
namespace. creating a new audit namespace should require
CAP_AUDIT_CONTROL in the user namespace which created the current audit
namespace.
Does that make sense? I don't mind messages staying completely inside
the current namespace, but that means we can't give unpriv users (even
if they have priv in their user namespace) a new audit namespace...
I think that makes sense.
One of the goals for user namespace is to ensure that unprivileged users
can play with their environment without the risk of setuid-root apps on
the host being tricked by the new environment. This makes tying the
audit ns to the user ns trickier.
-serge
1:02 a.m.
On 06/11/2013 09:49 PM, Eric Paris wrote:
On Tue, 2013-06-11 at 13:59 +0800, Gao feng wrote:
> On 06/11/2013 05:24 AM, Serge E. Hallyn wrote:
>> Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
>>> On 06/07/2013 06:47 AM, Serge Hallyn wrote:
>>>> Quoting Serge Hallyn (serge.hallyn(a)ubuntu.com):
>>>>> Quoting Gao feng (gaofeng(a)cn.fujitsu.com):
>>>>>> On 05/07/2013 10:20 AM, Gao feng wrote:
> In my option, the audit rules(inode, tree_list, filter) , some of audit
> controller related resources(enabled,pid,portid...) and skb queue, audit
> netlink sockets,kauditd thread should be per-userns. The audit user message
> which generated by the user in container should be per-userns too.
>
> Since netns is not implemented as a hierarchy, and the network related
> resources are not global. so network related audit message should be per-userns too.
>
> The security related audit message should be send to init user namespace
> as we discussed before. Maybe tty related audit message should be send
> to init user namespace too, I have no idea now.
>
> The next step, I will post a new patchset which only make the audit user
> message and the basic audit resource per userns. I think this patchset
> will easy to be reviewed and accepted, And will not influence the host.
> This patchset contains the below patches:
I think this would be easier for us do from a certification and
doumentation PoV if we had an audit namespace, not tied to the user
namespace. creating a new audit namespace should require
CAP_AUDIT_CONTROL in the user namespace which created the current audit
namespace.
Hi Eric,
You mean that like pid/net/user/uts.. namespace,audit namespace should be
created through system call clone with a new flag such as CLONE_NEWAUDIT?
If I didn't misunderstand you, I think it's better to tie audit namespace
to user namespace. since we don't have too much available flags for clone.
Does that make sense? I don't mind messages staying completely
inside
the current namespace, but that means we can't give unpriv users (even
if they have priv in their user namespace) a new audit namespace...
Sorry, I don't quite understand what the current namespace you mentioned here,
the audit namespace current tasks belong to?
upriv users can create new user namespace, in my implementation,the unpriv users
can have its own audit namespace when they create a new user namespace.
I guess I may misunderstand you, if I'm wrong, please correct me :)
Thanks,
Gao
4209
days inactive
4246
days old
linux-audit@lists.linux-audit.osci.io
11 comments
4 participants
participants (4)
-
Eric Paris -
Gao feng -
Serge E. Hallyn -
Serge Hallyn