lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241009213345.GC3714@breakpoint.cc>
Date: Wed, 9 Oct 2024 23:33:45 +0200
From: Florian Westphal <fw@...len.de>
To: Richard Weinberger <richard@....at>
Cc: netfilter-devel@...r.kernel.org, coreteam@...filter.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	pabeni@...hat.com, kuba@...nel.org, edumazet@...gle.com,
	davem@...emloft.net, kadlec@...filter.org, pablo@...filter.org,
	rgb@...hat.com, paul@...l-moore.com, upstream+net@...ma-star.at
Subject: Re: [PATCH] netfilter: Record uid and gid in xt_AUDIT

Richard Weinberger <richard@....at> wrote:
> When recording audit events for new outgoing connections,
> it is helpful to log the user info of the associated socket,
> if available.
> Therefore, check if the skb has a socket, and if it does,
> log the owning fsuid/fsgid.

AFAIK audit isn't namespace aware at all (neither netns nor userns), so I
wonder how to handle this.

We can't reject adding a -j AUDIT rule for non-init-net (we could, but I'm sure
it'll break some setups...).

But I wonder if we should at least skip the uid if the user namespace is
'something else'.

> +	if (sk && sk_fullsock(sk)) {

I.e. check net->user_ns == &init_user_ns too and don't log the uid
otherwise.

I don't think auditd can make sense of the uid otherwise, resp.
its misleading, no?

Alternatively, use this instead?

kuid = sock_net_uid(sock_net(sk), sk);
from_kuid_munged(sock_net(sk)->user_ns, kuid);

There is no need to follow ->file backpointer anymore, see
6acc5c2910689fc6ee181bf63085c5efff6a42bd and
86741ec25462e4c8cdce6df2f41ead05568c7d5e,
"net: core: Add a UID field to struct sock.".

I think we could streamline all the existing paths that fetch uid
from sock->file to not do that and use sock_net_uid() instead as well.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ