lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 10 Jun 2013 16:24:37 -0500
From:	"Serge E. Hallyn" <serge@...lyn.com>
To:	Gao feng <gaofeng@...fujitsu.com>
Cc:	Serge Hallyn <serge.hallyn@...ntu.com>,
	containers@...ts.linux-foundation.org,
	linux-kernel@...r.kernel.org, eparis@...hat.com,
	linux-audit@...hat.com, ebiederm@...ssion.com, davem@...emloft.net
Subject: Re: [PATCH RFC 00/48] Add namespace support for audit

Quoting Gao feng (gaofeng@...fujitsu.com):
> On 06/07/2013 06:47 AM, Serge Hallyn wrote:
> > Quoting Serge Hallyn (serge.hallyn@...ntu.com):
> >> Quoting Gao feng (gaofeng@...fujitsu.com):
> >>> On 05/07/2013 10:20 AM, Gao feng wrote:
> >>>> This patchset try to add namespace support for audit.
> >>>>
> >>>> I choose to assign audit to the user namespace.
> >>>> Right now,there are six kinds of namespaces, such as
> >>>> net, mount, ipc, pid, uts and user. the first five
> >>>> namespaces have special usage. the audit isn't suitable to
> >>>> belong to these five namespaces, so the user namespace
> >>>> may be the best choice.
> >>>>
> >>>> Through I decide to make audit related resources per user
> >>>> namespace, but audit uses netlink to communicate between kernel
> >>>> space and user space, and the netlink is a private resource
> >>>> of per net namespace. So we need the capability to allow the
> >>>> netlink sockets to communicate with each other in the same user
> >>>> namespace even they are in different net namespace. [PATCH 2/48]
> >>>> does this job, it adds a new function "compare" for per netlink
> >>>> table to compare two sockets. it means the netlink protocols can
> >>>> has its own compare fuction, For other protocols, two netlink
> >>>> sockets are different if they belong to the different net namespace.
> >>>> For audit protocol, two sockets can be the same even they in different
> >>>> net namespace,we use user namespace not net namespace to make the
> >>>> decision.
> >>>>
> >>>> There is one point that some people may dislike,in [PATCH 1/48],
> >>>> the kernel side audit netlink socket is created only when we create
> >>>> the first netns for the userns, and this userns will hold the netns
> >>>> until we destroy this userns.
> >>>>
> >>>> The other patches just make the audit related resources per
> >>>> user namespace.
> >>>>
> >>>> This patchset is sent as an RFC,any comments are welcome.
> >>
> >> Hi,
> >>
> >> thanks for sending this.  I think you need to ping the selinux folks
> >> for comment though.  It appears to me that, after this patchset, the
> >> kernel with CONFIG_USER_NS=y could not be LSPP-compliant, because
> >> the selinux-generated audit messages do not always go to init_user_ns.
> >>
> >> Additionally, the only type of namespacing selinux wants is where it
> >> is enforced by policy compiler and installer using typenames - i.e.
> >> 'container1.user_t' vs 'user_t'.  Selinux does not want user namespaces
> >> to affect selinux enforcement at all.  (at least last I knew, several
> >> years ago at a mini-summit, I believe this was from Stephen Smalley).
> > 
> > That sort of sounds like I'm distancing myself from that, which I
> > don't mean to do.  I agree with the decison:  MAC (selinux, apparmor
> > and smack) should not be confuddled by user namespaces.  (posix caps
> > are, as always, a bit different).
> 
> 
> Thanks for your comments!
> 
> Very useful information, it sounds reasonable.
> 
> Let's just drop those patches.
> 

Hi Gao,

proceeding then,

The netfilter related changes I think make sense.  They log to the userns
which owns the netns in question, which seems right.

However looking at Audit-tty-translate-audit_log_start-to-audit_log_sta.patch,
it appears to log to the userns of the task which is doing the operation.

Keeping in mind that an unprivileged user can create a new user namespace,
this doesn't seem right.

Also, you are introducing per-userns syscall filter.  It looks like I
can then create a new userns to escape my existing syscall filter, since
the filters up the user_ns parent chain are not being applied.  Is that
correct?

Did you have a particular rationale written out for what precisely you're
wanting to make per-userns?  That would be helpful in trying to figure
out which bits are appropriate.  Again I so far haven't seen a single
problem with the code itself, it's just a question of which bits we
actually want (and are safe).

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ