Discussion:
[PATCH RFC 00/48] Add namespace support for audit
(too old to reply)
Eric Paris
2013-05-08 16:55:12 UTC
Permalink
What kernel are these patches against?
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Audit: make audit kernel side netlink sock per userns
netlink: Add compare function for netlink_table
Audit: implement audit self-defined compare function
Audit: make audit_skb_queue per user namespace
Audit: make audit_skb_hold_queue per user namespace
Audit: make kauditd_task per user namespace
Audit: make audit_pid per user namespace
Audit: make audit_nlk_portid per user namesapce
Audit: make audit_enabled per user namespace
Audit: change type of audit_ever_enabled to bool
Audit: make audit_ever_enabled per user namespace
Audit: make audit_initialized per user namespace
Audit: only allow init user namespace to change audit_rate_limit
Audit: only allow init user namespace to change audit_failure
Audit: allow to send netlink message to auditd in uninit user
namespace
Audit: user proper user namespace in audit_log_config_change
Audit: make kauditd_wait per user namespace
Audit: make audit_backlog_wait per user namespace
Audit: remove duplicate comments
Audit: introduce new audit logging interface for user namespace
Audit: pass proper user namespace to audit_log_common_recv_msg
Audit: Log audit config change in uninit user namespace
Audit: netfilter: Log xt table replace behavior in proper user
namespace
Audit: xt_AUDIT: Log audit message in proper user namespace
Audit: send reply message to the auditd in proper user namespace
Audit: make audit_inode_hash per user namespace
Audit: make tree_list per user namespace
Audit: make audit filter list per user namespace
Audit: make audit_krule belongs to user namespace
Audit: reply audit filter list request to proper user namespace
Audit: pass proper user namespace to audit_filter_syscall
Audit: pass proper user namespace to audit_filter_inode_name
Audit: Log filter related audit message to proper user namespace
Log audit tree related message in proper user namespace
Audit: Log task related audit message to proper user namespace
Audit: Log watch related audit message to proper user namespace
Audit: translate audit_log_start to audit_log_start_ns
Audit: tty: translate audit_log_start to audit_log_start_ns
Audit: netlabel: translate audit_log_start to audit_log_start_ns
Audit: ima: translate audit_log_start to audit_log_start_ns
Audit: lsm: translate audit_log_start to audit_log_start_ns
Audit: selinux: translate audit_log_start to audit_log_start_ns
Audit: xfrm: translate audit_log_start to audit_log_start_ns
Audit: rename audit_log_start_ns to audit_log_start
Audit: user audit_enabled_ns to replace audit_enabled
Audit: rename audit_enabled_ns to audit_enabled
Audit: make audit_log user namespace awared
Audit: allow root user of un-init user namespace to set audit
drivers/tty/tty_audit.c | 9 +-
include/linux/audit.h | 44 ++--
include/linux/netlink.h | 1 +
include/linux/user_namespace.h | 25 +++
include/net/xfrm.h | 7 +-
kernel/audit.c | 393 +++++++++++++++++++++---------------
kernel/audit.h | 24 +--
kernel/audit_tree.c | 49 ++---
kernel/audit_watch.c | 23 ++-
kernel/auditfilter.c | 76 +++----
kernel/auditsc.c | 156 ++++++++------
kernel/user.c | 19 ++
kernel/user_namespace.c | 3 +
net/core/dev.c | 12 +-
net/ipv4/cipso_ipv4.c | 4 +-
net/netfilter/x_tables.c | 9 +-
net/netfilter/xt_AUDIT.c | 8 +-
net/netlabel/netlabel_domainhash.c | 4 +-
net/netlabel/netlabel_unlabeled.c | 8 +-
net/netlabel/netlabel_user.c | 8 +-
net/netlink/af_netlink.c | 26 ++-
net/netlink/af_netlink.h | 1 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_state.c | 14 +-
security/apparmor/lib.c | 2 +-
security/integrity/ima/ima_api.c | 5 +-
security/integrity/ima/ima_audit.c | 11 +-
security/integrity/ima/ima_policy.c | 5 +-
security/lsm_audit.c | 8 +-
security/selinux/avc.c | 3 +-
security/selinux/hooks.c | 17 +-
security/selinux/selinuxfs.c | 9 +-
security/selinux/ss/services.c | 30 ++-
security/smack/smack_lsm.c | 3 +-
34 files changed, 630 insertions(+), 390 deletions(-)
Aristeu Rozanski
2013-05-07 15:44:35 UTC
Permalink
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 684599b..33e6584 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -441,7 +441,8 @@ extern int audit_filter_type(int type);
extern int audit_receive_filter(int type, int pid, int seq,
void *data, size_t datasz, kuid_t loginuid,
u32 sessionid, u32 sid);
-extern int audit_enabled;
+#define audit_enabled (init_user_ns.audit.enabled)
+#define audit_enabled_ns (ns->audit.enabled)
#else /* CONFIG_AUDIT */
static inline __printf(4, 5)
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
@@ -487,6 +488,7 @@ static inline void audit_set_user_ns(struct user_namespace *ns)
static inline void audit_free_user_ns(struct user_namespace *ns)
{ }
#define audit_enabled 0
+#define audit_enabled_ns(ns) 0
conflicting definitions here. maybe the first one should be
#define audit_enabled_ns(ns) (ns->audit.enabled)?
@@ -285,14 +282,15 @@ static int audit_do_config_change(char *function_name, int *to_change,
u32 sid)
{
int allow_changes, rc = 0, old = *to_change;
+ struct user_namespace *ns = current_user_ns();
/* check if we are locked */
- if (audit_enabled == AUDIT_LOCKED)
+ if (ns->audit.enabled == AUDIT_LOCKED)
then you don't use the macro you introduced?
@@ -609,7 +608,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
char *ctx = NULL;
u32 len;
- if (!audit_enabled) {
+ if (!init_user_ns.audit.enabled) {
*ab = NULL;
return rc;
}
same here
--
Aristeu
Matt Helsley
2013-05-08 02:06:26 UTC
Permalink
It's better to define audit_ever_enabled as bool
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 4595a9e..1138ff5 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -76,7 +76,7 @@ static int audit_initialized;
#define AUDIT_OFF 0
#define AUDIT_ON 1
#define AUDIT_LOCKED 2
-int audit_ever_enabled;
+bool audit_ever_enabled;
I think you're better off placing this at the beginning of the series
and submitting it separately since it's only incidentally related to
this RFC.

Cheers,
-Matt Helsley
Gao feng
2013-05-07 02:20:21 UTC
Permalink
This patchset try to add namespace support for audit.

I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.

Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.

There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.

The other patches just make the audit related resources per
user namespace.

This patchset is sent as an RFC,any comments are welcome.

Gao feng (48):
Audit: make audit kernel side netlink sock per userns
netlink: Add compare function for netlink_table
Audit: implement audit self-defined compare function
Audit: make audit_skb_queue per user namespace
Audit: make audit_skb_hold_queue per user namespace
Audit: make kauditd_task per user namespace
Audit: make audit_pid per user namespace
Audit: make audit_nlk_portid per user namesapce
Audit: make audit_enabled per user namespace
Audit: change type of audit_ever_enabled to bool
Audit: make audit_ever_enabled per user namespace
Audit: make audit_initialized per user namespace
Audit: only allow init user namespace to change audit_rate_limit
Audit: only allow init user namespace to change audit_failure
Audit: allow to send netlink message to auditd in uninit user
namespace
Audit: user proper user namespace in audit_log_config_change
Audit: make kauditd_wait per user namespace
Audit: make audit_backlog_wait per user namespace
Audit: remove duplicate comments
Audit: introduce new audit logging interface for user namespace
Audit: pass proper user namespace to audit_log_common_recv_msg
Audit: Log audit config change in uninit user namespace
Audit: netfilter: Log xt table replace behavior in proper user
namespace
Audit: xt_AUDIT: Log audit message in proper user namespace
Audit: send reply message to the auditd in proper user namespace
Audit: make audit_inode_hash per user namespace
Audit: make tree_list per user namespace
Audit: make audit filter list per user namespace
Audit: make audit_krule belongs to user namespace
Audit: reply audit filter list request to proper user namespace
Audit: pass proper user namespace to audit_filter_syscall
Audit: pass proper user namespace to audit_filter_inode_name
Audit: Log filter related audit message to proper user namespace
Log audit tree related message in proper user namespace
Audit: Log task related audit message to proper user namespace
Audit: Log watch related audit message to proper user namespace
Audit: translate audit_log_start to audit_log_start_ns
Audit: tty: translate audit_log_start to audit_log_start_ns
Audit: netlabel: translate audit_log_start to audit_log_start_ns
Audit: ima: translate audit_log_start to audit_log_start_ns
Audit: lsm: translate audit_log_start to audit_log_start_ns
Audit: selinux: translate audit_log_start to audit_log_start_ns
Audit: xfrm: translate audit_log_start to audit_log_start_ns
Audit: rename audit_log_start_ns to audit_log_start
Audit: user audit_enabled_ns to replace audit_enabled
Audit: rename audit_enabled_ns to audit_enabled
Audit: make audit_log user namespace awared
Audit: allow root user of un-init user namespace to set audit

drivers/tty/tty_audit.c | 9 +-
include/linux/audit.h | 44 ++--
include/linux/netlink.h | 1 +
include/linux/user_namespace.h | 25 +++
include/net/xfrm.h | 7 +-
kernel/audit.c | 393 +++++++++++++++++++++---------------
kernel/audit.h | 24 +--
kernel/audit_tree.c | 49 ++---
kernel/audit_watch.c | 23 ++-
kernel/auditfilter.c | 76 +++----
kernel/auditsc.c | 156 ++++++++------
kernel/user.c | 19 ++
kernel/user_namespace.c | 3 +
net/core/dev.c | 12 +-
net/ipv4/cipso_ipv4.c | 4 +-
net/netfilter/x_tables.c | 9 +-
net/netfilter/xt_AUDIT.c | 8 +-
net/netlabel/netlabel_domainhash.c | 4 +-
net/netlabel/netlabel_unlabeled.c | 8 +-
net/netlabel/netlabel_user.c | 8 +-
net/netlink/af_netlink.c | 26 ++-
net/netlink/af_netlink.h | 1 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_state.c | 14 +-
security/apparmor/lib.c | 2 +-
security/integrity/ima/ima_api.c | 5 +-
security/integrity/ima/ima_audit.c | 11 +-
security/integrity/ima/ima_policy.c | 5 +-
security/lsm_audit.c | 8 +-
security/selinux/avc.c | 3 +-
security/selinux/hooks.c | 17 +-
security/selinux/selinuxfs.c | 9 +-
security/selinux/ss/services.c | 30 ++-
security/smack/smack_lsm.c | 3 +-
34 files changed, 630 insertions(+), 390 deletions(-)
--
1.8.1.4
Gao feng
2013-05-21 09:15:31 UTC
Permalink
+ if (ns->audit.kauditd_task)
+ kthread_stop(ns->audit.kauditd_task);
This is buggy,will trigger warning scheduling while atomic:

I will take care this problem.
Gao feng
2013-05-21 09:15:58 UTC
Permalink
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Half of month passed, Can anybody give me some comments or advice or even
an ACK?

I think the key point is the first 3 patch. these patches add a compare
function per netlink_table, netlink sockets use this compare function to
decide if they can communicate with each other. For other netlink protocols
we use net namespace to make this decision. But for audit netlink protocol,
we use user namespace to make the decision. It means, for audit netlink sockets,
they can communicate when they in same user namespace and there is no need
for them to stay in same net namespace.

I don't know if anyone object to this and if there is a better solution.

Eric, Serge & David, can you give me some comments?

Thanks!
Audit: make audit kernel side netlink sock per userns
netlink: Add compare function for netlink_table
Audit: implement audit self-defined compare function
Audit: make audit_skb_queue per user namespace
Audit: make audit_skb_hold_queue per user namespace
Audit: make kauditd_task per user namespace
Audit: make audit_pid per user namespace
Audit: make audit_nlk_portid per user namesapce
Audit: make audit_enabled per user namespace
Audit: change type of audit_ever_enabled to bool
Audit: make audit_ever_enabled per user namespace
Audit: make audit_initialized per user namespace
Audit: only allow init user namespace to change audit_rate_limit
Audit: only allow init user namespace to change audit_failure
Audit: allow to send netlink message to auditd in uninit user
namespace
Audit: user proper user namespace in audit_log_config_change
Audit: make kauditd_wait per user namespace
Audit: make audit_backlog_wait per user namespace
Audit: remove duplicate comments
Audit: introduce new audit logging interface for user namespace
Audit: pass proper user namespace to audit_log_common_recv_msg
Audit: Log audit config change in uninit user namespace
Audit: netfilter: Log xt table replace behavior in proper user
namespace
Audit: xt_AUDIT: Log audit message in proper user namespace
Audit: send reply message to the auditd in proper user namespace
Audit: make audit_inode_hash per user namespace
Audit: make tree_list per user namespace
Audit: make audit filter list per user namespace
Audit: make audit_krule belongs to user namespace
Audit: reply audit filter list request to proper user namespace
Audit: pass proper user namespace to audit_filter_syscall
Audit: pass proper user namespace to audit_filter_inode_name
Audit: Log filter related audit message to proper user namespace
Log audit tree related message in proper user namespace
Audit: Log task related audit message to proper user namespace
Audit: Log watch related audit message to proper user namespace
Audit: translate audit_log_start to audit_log_start_ns
Audit: tty: translate audit_log_start to audit_log_start_ns
Audit: netlabel: translate audit_log_start to audit_log_start_ns
Audit: ima: translate audit_log_start to audit_log_start_ns
Audit: lsm: translate audit_log_start to audit_log_start_ns
Audit: selinux: translate audit_log_start to audit_log_start_ns
Audit: xfrm: translate audit_log_start to audit_log_start_ns
Audit: rename audit_log_start_ns to audit_log_start
Audit: user audit_enabled_ns to replace audit_enabled
Audit: rename audit_enabled_ns to audit_enabled
Audit: make audit_log user namespace awared
Audit: allow root user of un-init user namespace to set audit
drivers/tty/tty_audit.c | 9 +-
include/linux/audit.h | 44 ++--
include/linux/netlink.h | 1 +
include/linux/user_namespace.h | 25 +++
include/net/xfrm.h | 7 +-
kernel/audit.c | 393 +++++++++++++++++++++---------------
kernel/audit.h | 24 +--
kernel/audit_tree.c | 49 ++---
kernel/audit_watch.c | 23 ++-
kernel/auditfilter.c | 76 +++----
kernel/auditsc.c | 156 ++++++++------
kernel/user.c | 19 ++
kernel/user_namespace.c | 3 +
net/core/dev.c | 12 +-
net/ipv4/cipso_ipv4.c | 4 +-
net/netfilter/x_tables.c | 9 +-
net/netfilter/xt_AUDIT.c | 8 +-
net/netlabel/netlabel_domainhash.c | 4 +-
net/netlabel/netlabel_unlabeled.c | 8 +-
net/netlabel/netlabel_user.c | 8 +-
net/netlink/af_netlink.c | 26 ++-
net/netlink/af_netlink.h | 1 +
net/xfrm/xfrm_policy.c | 4 +-
net/xfrm/xfrm_state.c | 14 +-
security/apparmor/lib.c | 2 +-
security/integrity/ima/ima_api.c | 5 +-
security/integrity/ima/ima_audit.c | 11 +-
security/integrity/ima/ima_policy.c | 5 +-
security/lsm_audit.c | 8 +-
security/selinux/avc.c | 3 +-
security/selinux/hooks.c | 17 +-
security/selinux/selinuxfs.c | 9 +-
security/selinux/ss/services.c | 30 ++-
security/smack/smack_lsm.c | 3 +-
34 files changed, 630 insertions(+), 390 deletions(-)
Serge Hallyn
2013-06-06 21:52:55 UTC
Permalink
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Hi,

thanks for sending this. I think you need to ping the selinux folks
for comment though. It appears to me that, after this patchset, the
kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
the selinux-generated audit messages do not always go to init_user_ns.

Additionally, the only type of namespacing selinux wants is where it
is enforced by policy compiler and installer using typenames - i.e.
'container1.user_t' vs 'user_t'. Selinux does not want user namespaces
to affect selinux enforcement at all. (at least last I knew, several
years ago at a mini-summit, I believe this was from Stephen Smalley).

I think it's good to have userspace-generated audit messages (i.e.
auditctl -m 'hi there') sent to the same user namespace. But the
selinux messages, near as I can tell, need to all go to init_user_ns.

thanks,
-serge
Serge Hallyn
2013-06-06 22:47:10 UTC
Permalink
Post by Serge Hallyn
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Hi,
thanks for sending this. I think you need to ping the selinux folks
for comment though. It appears to me that, after this patchset, the
kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
the selinux-generated audit messages do not always go to init_user_ns.
Additionally, the only type of namespacing selinux wants is where it
is enforced by policy compiler and installer using typenames - i.e.
'container1.user_t' vs 'user_t'. Selinux does not want user namespaces
to affect selinux enforcement at all. (at least last I knew, several
years ago at a mini-summit, I believe this was from Stephen Smalley).
That sort of sounds like I'm distancing myself from that, which I
don't mean to do. I agree with the decison: MAC (selinux, apparmor
and smack) should not be confuddled by user namespaces. (posix caps
are, as always, a bit different).
Post by Serge Hallyn
I think it's good to have userspace-generated audit messages (i.e.
auditctl -m 'hi there') sent to the same user namespace. But the
selinux messages, near as I can tell, need to all go to init_user_ns.
thanks,
-serge
_______________________________________________
Containers mailing list
https://lists.linuxfoundation.org/mailman/listinfo/containers
Gao feng
2013-06-10 01:54:20 UTC
Permalink
Post by Serge Hallyn
Post by Serge Hallyn
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Hi,
thanks for sending this. I think you need to ping the selinux folks
for comment though. It appears to me that, after this patchset, the
kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
the selinux-generated audit messages do not always go to init_user_ns.
Additionally, the only type of namespacing selinux wants is where it
is enforced by policy compiler and installer using typenames - i.e.
'container1.user_t' vs 'user_t'. Selinux does not want user namespaces
to affect selinux enforcement at all. (at least last I knew, several
years ago at a mini-summit, I believe this was from Stephen Smalley).
That sort of sounds like I'm distancing myself from that, which I
don't mean to do. I agree with the decison: MAC (selinux, apparmor
and smack) should not be confuddled by user namespaces. (posix caps
are, as always, a bit different).
Thanks for your comments!

Very useful information, it sounds reasonable.

Let's just drop those patches.

Thanks,
Gao
Post by Serge Hallyn
Post by Serge Hallyn
I think it's good to have userspace-generated audit messages (i.e.
auditctl -m 'hi there') sent to the same user namespace. But the
selinux messages, near as I can tell, need to all go to init_user_ns.
thanks,
-serge
_______________________________________________
Containers mailing list
https://lists.linuxfoundation.org/mailman/listinfo/containers
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Gao feng
2013-06-11 05:59:26 UTC
Permalink
Post by Gao feng
Post by Serge Hallyn
Post by Serge Hallyn
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Hi,
thanks for sending this. I think you need to ping the selinux folks
for comment though. It appears to me that, after this patchset, the
kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
the selinux-generated audit messages do not always go to init_user_ns.
Additionally, the only type of namespacing selinux wants is where it
is enforced by policy compiler and installer using typenames - i.e.
'container1.user_t' vs 'user_t'. Selinux does not want user namespaces
to affect selinux enforcement at all. (at least last I knew, several
years ago at a mini-summit, I believe this was from Stephen Smalley).
That sort of sounds like I'm distancing myself from that, which I
don't mean to do. I agree with the decison: MAC (selinux, apparmor
and smack) should not be confuddled by user namespaces. (posix caps
are, as always, a bit different).
Thanks for your comments!
Very useful information, it sounds reasonable.
Let's just drop those patches.
Hi Gao,
proceeding then,
The netfilter related changes I think make sense. They log to the userns
which owns the netns in question, which seems right.
However looking at Audit-tty-translate-audit_log_start-to-audit_log_sta.patch,
it appears to log to the userns of the task which is doing the operation.
Keeping in mind that an unprivileged user can create a new user namespace,
this doesn't seem right.
Also, you are introducing per-userns syscall filter. It looks like I
can then create a new userns to escape my existing syscall filter, since
the filters up the user_ns parent chain are not being applied. Is that
correct?
Hi Serge,

I admit that the global resources related audit message should be logged to
parent and ancestor. but this is more complex than the way I implemented.
Because we should send message to all ancestor and we should consider not
to exceed the rate_limit of all ancestor.

I prefer to don't make these filters/rules per user namespace right now.
Did you have a particular rationale written out for what precisely you're
wanting to make per-userns? That would be helpful in trying to figure
out which bits are appropriate. Again I so far haven't seen a single
problem with the code itself, it's just a question of which bits we
actually want (and are safe).
In my option, the audit rules(inode, tree_list, filter) , some of audit
controller related resources(enabled,pid,portid...) and skb queue, audit
netlink sockets,kauditd thread should be per-userns. The audit user message
which generated by the user in container should be per-userns too.

Since netns is not implemented as a hierarchy, and the network related
resources are not global. so network related audit message should be per-userns too.

The security related audit message should be send to init user namespace
as we discussed before. Maybe tty related audit message should be send
to init user namespace too, I have no idea now.

The next step, I will post a new patchset which only make the audit user
message and the basic audit resource per userns. I think this patchset
will easy to be reviewed and accepted, And will not influence the host.
This patchset contains the below patches:

Gao feng (21):
Audit: make audit kernel side netlink sock per userns
netlink: Add compare function for netlink_table
Audit: implement audit self-defined compare function
Audit: make audit_skb_queue per user namespace
Audit: make audit_skb_hold_queue per user namespace
Audit: make kauditd_task per user namespace
Audit: make audit_pid per user namespace
Audit: make audit_nlk_portid per user namesapce
Audit: make audit_enabled per user namespace
Audit: make audit_ever_enabled per user namespace
Audit: make audit_initialized per user namespace
Audit: only allow init user namespace to change rate limit
Audit: only allow init user namespace to change audit_failure
Audit: allow to send netlink message to auditd in uninit user
namespace
Audit: make kauditd_wait per user namespace
Audit: make audit_backlog_wait per user namespace
Audit: introduce new audit logging interface for user namespace
Audit: pass proper user namespace to audit_log_common_recv_msg
Audit: Log audit config change in uninit user namespace
Audit: send reply message to the auditd in proper user namespace
Audit: Allow GET,SET,USER MSG operations in uninit user namespace

include/linux/audit.h | 39 +++-
include/linux/netlink.h | 1 +
include/linux/user_namespace.h | 33 +++-
kernel/audit.c | 422 ++++++++++++++++++++++++++---------------
kernel/audit.h | 5 +-
kernel/auditsc.c | 11 +-
kernel/user_namespace.c | 3 +
net/netlink/af_netlink.c | 32 +++-
net/netlink/af_netlink.h | 1 +
9 files changed, 369 insertions(+), 178 deletions(-)

Do you have any comments or advice to this plan? After the above patchs
been accepted, I think it's easy to push other audit namespace related
patches into upstream.

Thanks,
Gao
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Eric Paris
2013-06-11 13:49:57 UTC
Permalink
Post by Gao feng
In my option, the audit rules(inode, tree_list, filter) , some of audit
controller related resources(enabled,pid,portid...) and skb queue, audit
netlink sockets,kauditd thread should be per-userns. The audit user message
which generated by the user in container should be per-userns too.
Since netns is not implemented as a hierarchy, and the network related
resources are not global. so network related audit message should be per-userns too.
The security related audit message should be send to init user namespace
as we discussed before. Maybe tty related audit message should be send
to init user namespace too, I have no idea now.
The next step, I will post a new patchset which only make the audit user
message and the basic audit resource per userns. I think this patchset
will easy to be reviewed and accepted, And will not influence the host.
I think this would be easier for us do from a certification and
doumentation PoV if we had an audit namespace, not tied to the user
namespace. creating a new audit namespace should require
CAP_AUDIT_CONTROL in the user namespace which created the current audit
namespace.

Does that make sense? I don't mind messages staying completely inside
the current namespace, but that means we can't give unpriv users (even
if they have priv in their user namespace) a new audit namespace...
Serge E. Hallyn
2013-06-11 14:15:37 UTC
Permalink
Post by Eric Paris
Post by Gao feng
In my option, the audit rules(inode, tree_list, filter) , some of audit
controller related resources(enabled,pid,portid...) and skb queue, audit
netlink sockets,kauditd thread should be per-userns. The audit user message
which generated by the user in container should be per-userns too.
Since netns is not implemented as a hierarchy, and the network related
resources are not global. so network related audit message should be per-userns too.
The security related audit message should be send to init user namespace
as we discussed before. Maybe tty related audit message should be send
to init user namespace too, I have no idea now.
The next step, I will post a new patchset which only make the audit user
message and the basic audit resource per userns. I think this patchset
will easy to be reviewed and accepted, And will not influence the host.
I think this would be easier for us do from a certification and
doumentation PoV if we had an audit namespace, not tied to the user
namespace. creating a new audit namespace should require
CAP_AUDIT_CONTROL in the user namespace which created the current audit
namespace.
Does that make sense? I don't mind messages staying completely inside
the current namespace, but that means we can't give unpriv users (even
if they have priv in their user namespace) a new audit namespace...
I think that makes sense.

One of the goals for user namespace is to ensure that unprivileged users
can play with their environment without the risk of setuid-root apps on
the host being tricked by the new environment. This makes tying the
audit ns to the user ns trickier.

-serge
Gao feng
2013-06-13 06:02:28 UTC
Permalink
Post by Eric Paris
Post by Gao feng
In my option, the audit rules(inode, tree_list, filter) , some of audit
controller related resources(enabled,pid,portid...) and skb queue, audit
netlink sockets,kauditd thread should be per-userns. The audit user message
which generated by the user in container should be per-userns too.
Since netns is not implemented as a hierarchy, and the network related
resources are not global. so network related audit message should be per-userns too.
The security related audit message should be send to init user namespace
as we discussed before. Maybe tty related audit message should be send
to init user namespace too, I have no idea now.
The next step, I will post a new patchset which only make the audit user
message and the basic audit resource per userns. I think this patchset
will easy to be reviewed and accepted, And will not influence the host.
I think this would be easier for us do from a certification and
doumentation PoV if we had an audit namespace, not tied to the user
namespace. creating a new audit namespace should require
CAP_AUDIT_CONTROL in the user namespace which created the current audit
namespace.
Hi Eric,

You mean that like pid/net/user/uts.. namespace,audit namespace should be
created through system call clone with a new flag such as CLONE_NEWAUDIT?
If I didn't misunderstand you, I think it's better to tie audit namespace
to user namespace. since we don't have too much available flags for clone.
Post by Eric Paris
Does that make sense? I don't mind messages staying completely inside
the current namespace, but that means we can't give unpriv users (even
if they have priv in their user namespace) a new audit namespace...
Sorry, I don't quite understand what the current namespace you mentioned here,
the audit namespace current tasks belong to?

upriv users can create new user namespace, in my implementation,the unpriv users
can have its own audit namespace when they create a new user namespace.

I guess I may misunderstand you, if I'm wrong, please correct me :)

Thanks,
Gao

Serge E. Hallyn
2013-06-10 21:24:37 UTC
Permalink
Post by Gao feng
Post by Serge Hallyn
Post by Serge Hallyn
This patchset try to add namespace support for audit.
I choose to assign audit to the user namespace.
Right now,there are six kinds of namespaces, such as
net, mount, ipc, pid, uts and user. the first five
namespaces have special usage. the audit isn't suitable to
belong to these five namespaces, so the user namespace
may be the best choice.
Through I decide to make audit related resources per user
namespace, but audit uses netlink to communicate between kernel
space and user space, and the netlink is a private resource
of per net namespace. So we need the capability to allow the
netlink sockets to communicate with each other in the same user
namespace even they are in different net namespace. [PATCH 2/48]
does this job, it adds a new function "compare" for per netlink
table to compare two sockets. it means the netlink protocols can
has its own compare fuction, For other protocols, two netlink
sockets are different if they belong to the different net namespace.
For audit protocol, two sockets can be the same even they in different
net namespace,we use user namespace not net namespace to make the
decision.
There is one point that some people may dislike,in [PATCH 1/48],
the kernel side audit netlink socket is created only when we create
the first netns for the userns, and this userns will hold the netns
until we destroy this userns.
The other patches just make the audit related resources per
user namespace.
This patchset is sent as an RFC,any comments are welcome.
Hi,
thanks for sending this. I think you need to ping the selinux folks
for comment though. It appears to me that, after this patchset, the
kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
the selinux-generated audit messages do not always go to init_user_ns.
Additionally, the only type of namespacing selinux wants is where it
is enforced by policy compiler and installer using typenames - i.e.
'container1.user_t' vs 'user_t'. Selinux does not want user namespaces
to affect selinux enforcement at all. (at least last I knew, several
years ago at a mini-summit, I believe this was from Stephen Smalley).
That sort of sounds like I'm distancing myself from that, which I
don't mean to do. I agree with the decison: MAC (selinux, apparmor
and smack) should not be confuddled by user namespaces. (posix caps
are, as always, a bit different).
Thanks for your comments!
Very useful information, it sounds reasonable.
Let's just drop those patches.
Hi Gao,

proceeding then,

The netfilter related changes I think make sense. They log to the userns
which owns the netns in question, which seems right.

However looking at Audit-tty-translate-audit_log_start-to-audit_log_sta.patch,
it appears to log to the userns of the task which is doing the operation.

Keeping in mind that an unprivileged user can create a new user namespace,
this doesn't seem right.

Also, you are introducing per-userns syscall filter. It looks like I
can then create a new userns to escape my existing syscall filter, since
the filters up the user_ns parent chain are not being applied. Is that
correct?

Did you have a particular rationale written out for what precisely you're
wanting to make per-userns? That would be helpful in trying to figure
out which bits are appropriate. Again I so far haven't seen a single
problem with the code itself, it's just a question of which bits we
actually want (and are safe).

-serge
Gao feng
2013-05-09 01:13:36 UTC
Permalink
Post by Eric Paris
What kernel are these patches against?
This patchset is based on linus's tree.
The last commit is d7ab7302f970a254997687a1cdede421a5635c68
(Merge tag 'mfd-3.10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/same)

Thanks
Gao
Continue reading on narkive:
Loading...