| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Oct 2013 15:31:45 +0800 From: Gao feng <gaofeng@...fujitsu.com> To: linux-kernel@...r.kernel.org, linux-audit@...hat.com Cc: containers@...ts.linux-foundation.org, ebiederm@...ssion.com, serge.hallyn@...ntu.com, eparis@...hat.com, sgrubb@...hat.com, toshi.okajima@...fujitsu.com, Gao feng <gaofeng@...fujitsu.com> Subject: [RFC Part1 PATCH 00/20 v2] Add namespace support for audit Here is the v1 patchset: http://lwn.net/Articles/549546/ The main target of this patchset is allowing user in audit namespace to generate the USER_MSG type of audit message, some userspace tools need to generate audit message, or these tools will broken. And the login process in container may want to setup /proc/<pid>/loginuid, right now this value is unalterable once it being set. this will also broke the login problem in container. After this patchset, we can reset this loginuid to zero if task is running in a new audit namespace. Same with v1 patchset, in this patchset, only the privileged user in init_audit_ns and init_user_ns has rights to add/del audit rules. and these rules are gloabl. all audit namespace will comply with the rules. Compared with v1, v2 patch has some big changes. 1, the audit namespace is not assigned to user namespace. since there is no available bit of flags for clone, we create audit namespace through netlink, patch[18/20] introduces a new audit netlink type AUDIT_CREATE_NS. the privileged user in userns has rights to create a audit namespace, it means the unprivileged user can create auditns through create userns first. In order to prevent them from doing harm to host, the default audit_backlog_limit of un-init-audit-ns is zero(means audit is unavailable in audit namespace). and it can't be changed in auditns through netlink. 2, introduce /proc/<pid>/audit_log_limit this interface is used to setup log_limit of audit namespace. we need this interface to make audit available in un-init-audit-ns. Only the privileged user has right to set this value, it means only the root user of host can change it. 3, make audit namespace don't depend on net namespace. patch[1/20] add a compare function audit_compare for audit netlink, it always return true, it means the netlink subsystem will find out the netlink socket only through portid and netlink type. So we needn't to create kernel side audit netlink socket for per net namespace, all userspace audit netlink socket can find out the audit_sock, and audit_sock can communicate with them through the proper portid. it's just like the behavior we don't have net namespace before. This patchset still need some work, such as allow changing audit_enabled in audit namespace, auditd wants this feature. I send this patchset now in order to get more comments, so I can keep on improving namespace support for audit. Gao feng (20): Audit: make audit netlink socket net namespace unaware audit: introduce configure option CONFIG_AUDIT_NS audit: make audit_skb_queue per audit namespace audit: make audit_skb_hold_queue per audit namespace audit: make audit_pid per audit namespace audit: make kauditd_task per audit namespace aduit: make audit_nlk_portid per audit namespace audit: make kaudit_wait queue per audit namespace audit: make audit_backlog_wait per audit namespace audit: allow un-init audit ns to change pid and portid only audit: use proper audit namespace in audit_receive_msg audit: use proper audit_namespace in kauditd_thread audit: introduce new audit logging interface for audit namespace audit: pass proper audit namespace to audit_log_common_recv_msg audit: Log audit pid config change in audit namespace audit: allow GET,SET,USER MSG operations in audit namespace nsproxy: don't make create_new_namespaces static audit: add new message type AUDIT_CREATE_NS audit: make audit_backlog_limit per audit namespace audit: introduce /proc/<pid>/audit_backlog_limit fs/proc/base.c | 53 ++++++ include/linux/audit.h | 26 ++- include/linux/audit_namespace.h | 92 ++++++++++ include/linux/nsproxy.h | 15 +- include/uapi/linux/audit.h | 1 + init/Kconfig | 10 ++ kernel/Makefile | 2 +- kernel/audit.c | 364 +++++++++++++++++++++++++--------------- kernel/audit.h | 5 +- kernel/audit_namespace.c | 123 ++++++++++++++ kernel/auditsc.c | 6 +- kernel/nsproxy.c | 18 +- 12 files changed, 561 insertions(+), 154 deletions(-) create mode 100644 include/linux/audit_namespace.h create mode 100644 kernel/audit_namespace.c -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists