| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Jan 2014 09:37:17 +0800
From: Gao feng <gaofeng@...fujitsu.com>
To: "Serge E. Hallyn" <serge@...lyn.com>
CC: eparis@...hat.com, rgb@...hat.com,
containers@...ts.linux-foundation.org, serge.hallyn@...ntu.com,
linux-kernel@...r.kernel.org, linux-audit@...hat.com,
ebiederm@...ssion.com, sgrubb@...hat.com
Subject: Re: [PATCH audit-next 2/2] Audit: make audit netlink socket net namespace
unaware
On 01/17/2014 06:29 AM, Serge E. Hallyn wrote:
> Quoting Gao feng (gaofeng@...fujitsu.com):
>> Add a compare function which always return true for
>> audit netlink socket, this will cause audit netlink
>> sockets netns unaware, and no matter which netns the
>> user space audit netlink sockets belong to, they all
>> can find out and communicate with audit_sock.
>>
>> This gets rid of the necessary to create per-netns
>> audit kernel side socket(audit_sock), it's pain to
>> depend on and get reference of netns for auditns.
>>
>> Signed-off-by: Gao feng <gaofeng@...fujitsu.com>
>
> So whereas before you could prevent a task from spamming
> audit by putting it into a private netns, now you have to
> do it using a user namespace (to prevent capable(CAP_AUDIT_WRITE))
> right?
>
Yes, the commit 1a938bec0090dc49abdb471e978e0d8155186845
"listen in all network namespaces" in audit-next already
did this change. this patch is another way to allow task
to generate audit msg in un-init netns. This is one of
the purpose of auditns. And this capable check has already
done in audit_netlink_ok.
> I don't know that anyone is depending on that, in any case, but
> it's a change.
>
I think this change should be transparent to the userspace tools.
Since I don't know why a task should depend on audit is unavailable.
Or I misunderstand your question?
> Is this building up to something?
>
Just allow task in un-init netns to communicate with kernel.
Thanks!
Gao
>> ---
>> kernel/audit.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/kernel/audit.c b/kernel/audit.c
>> index b62153a..2ac6212 100644
>> --- a/kernel/audit.c
>> +++ b/kernel/audit.c
>> @@ -1064,12 +1064,18 @@ static void audit_receive(struct sk_buff *skb)
>> mutex_unlock(&audit_cmd_mutex);
>> }
>>
>> +static bool audit_compare(struct net *net, struct sock *sk)
>> +{
>> + return true;
>> +}
>> +
>> /* Initialize audit support at boot time. */
>> static int __init audit_init(void)
>> {
>> int i;
>> struct netlink_kernel_cfg cfg = {
>> .input = audit_receive,
>> + .compare = audit_compare,
>> };
>>
>> if (audit_initialized == AUDIT_DISABLED)
>> --
>> 1.8.4.2
>>
>> _______________________________________________
>> Containers mailing list
>> Containers@...ts.linux-foundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/containers
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists