lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <51C2916C.2070103@cn.fujitsu.com>
Date:	Thu, 20 Jun 2013 13:21:48 +0800
From:	Gao feng <gaofeng@...fujitsu.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
CC:	Eric Paris <eparis@...hat.com>, Aristeu Rozanski <aris@...hat.com>,
	containers@...ts.linux-foundation.org, linux-audit@...hat.com,
	linux-kernel@...r.kernel.org, serge.hallyn@...ntu.com,
	matthltc@...ux.vnet.ibm.com, sgrubb@...hat.com
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit

On 06/20/2013 05:03 AM, Eric W. Biederman wrote:
> Eric Paris <eparis@...hat.com> writes:
> 
>> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
>>> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
>>>> This patchset is first part of namespace support for audit.
>>>> in this patchset, the mainly resources of audit system have
>>>> been isolated. the audit filter, rules havn't been isolated
>>>> now. It will be implemented in Part2. We finished the isolation
>>>> of user audit message in this patchset.
>>>>
>>>> I choose to assign audit to the user namespace.
>>>> Right now,there are six kinds of namespaces, such as
>>>> net, mount, ipc, pid, uts and user. the first five
>>>> namespaces have special usage. the audit isn't suitable to
>>>> belong to these five namespaces, And since the flag of system
>>>> call clone is in short supply, we can't provide a new flag such
>>>> as CLONE_NEWAUDIT to enable audit namespace separately. so the
>>>> user namespace may be the best choice.
>>>
>>> I thought it was said on the last submission that to tie userns and
>>> audit namespace would be a bad idea?
>>
>> I consider it a non-starter.  unpriv users are allowed to launch their
>> own user namespace.  The whole point of audit is to have only a priv
>> user be allowed to make changes.  If you tied audit namespace to user
>> namespace you grant an unpriv user the ability to modify audit.
>>
>> NAK.
>>
>> If there are not clone flags you will either need to only do this from
>> unshare and not from clone, or get more flags to clone
> 
> I completely agree that only priveleged user should be able to make
> changes.
> 
> On the flip side, I don't know if this is at all interesting unless we
> have a solution that works for users in unprivileged user namespaces.
> Something like having the possibility of two or more instances of audit
> working on every action.  One for each layer of privilege.
> 
> Gao feng, how do you want to use the audit infrastructure?
> 

I want the root user in container can use the audit related api
(audit_open,audit_log_user_message..) and some network related
audit messages generated by container shouldn't be logged to host.

Thanks,
Gao
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ