[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210511194028.GQ3141668@madcap2.tricolour.ca>
Date: Tue, 11 May 2021 15:40:28 -0400
From: Richard Guy Briggs <rgb@...hat.com>
To: Paul Moore <paul@...l-moore.com>
Cc: Michael Weiß
<michael.weiss@...ec.fraunhofer.de>,
Eric Paris <eparis@...hat.com>, linux-audit@...hat.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] audit: allow logging of user events in non-initial
namespace.
On 2021-05-10 18:48, Paul Moore wrote:
> On Sun, May 9, 2021 at 2:33 PM Michael Weiß
> <michael.weiss@...ec.fraunhofer.de> wrote:
> >
> > Audit subsystem was disabled in total for user namespaces other than
> > the initial namespace.
> >
> > If audit is enabled by kernel command line or audtid in initial namespace,
> > it is now possible to allow at least logging of userspace applications
> > inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
> > namespace is held.
> >
> > This allows logging of, e.g., PAM or opensshd inside user namespaced
> > system containers.
> >
> > Signed-off-by: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
> > ---
> > kernel/audit.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
>
> I think this needs to wait on the audit container ID patchset to land.
That will interact with this, for sure and others related.
Given that there are non-init namespaces involved that may not be part
of containers, I would prefer to wait until namespaces are also
optionally documentable in audit events before permitting this change.
A patchset exists, but it has been deferred until the audit container
identifier patchset is settled.
(See https://github.com/linux-audit/audit-kernel/issues/32 )
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 121d37e700a6..b5cc0669c3d7 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > * userspace will reject all logins. This should be removed when we
> > * support non init namespaces!!
> > */
> > - if (current_user_ns() != &init_user_ns)
> > + /*
> > + * If audit is enabled by kernel command line or audtid in the initial
> > + * namespace allow at least logging of userspace applications inside of
> > + * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
> > + * corresponding namespace.
> > + */
> > + if ((current_user_ns() != &init_user_ns) && !audit_enabled)
> > return -ECONNREFUSED;
> >
> > switch (msg_type) {
> > @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > case AUDIT_USER:
> > case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> > case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> > - if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> > + if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
> > err = -EPERM;
> > break;
> > default: /* bad msg */
> > --
> > 2.20.1
>
> --
> paul moore
> www.paul-moore.com
>
- RGB
--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Powered by blists - more mailing lists