Re: [PATCH] audit: allow logging of user events in non-initial namespace.

From: Richard Guy Briggs
Date: Tue May 11 2021 - 15:40:49 EST

Next message: Alex Elder: "[PATCH net] net: ipa: memory region array is variable size"
Previous message: Marciniszyn, Mike: "RE: [PATCH rdma-next] RDMA/rdmavt: Decouple QP and SGE lists allocations"
In reply to: Paul Moore: "Re: [PATCH] audit: allow logging of user events in non-initial namespace."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2021-05-10 18:48, Paul Moore wrote:
> On Sun, May 9, 2021 at 2:33 PM Michael Weiß
> <michael.weiss@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > Audit subsystem was disabled in total for user namespaces other than
> > the initial namespace.
> >
> > If audit is enabled by kernel command line or audtid in initial namespace,
> > it is now possible to allow at least logging of userspace applications
> > inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
> > namespace is held.
> >
> > This allows logging of, e.g., PAM or opensshd inside user namespaced
> > system containers.
> >
> > Signed-off-by: Michael Weiß <michael.weiss@xxxxxxxxxxxxxxxxxxx>
> > ---
> > kernel/audit.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
>
> I think this needs to wait on the audit container ID patchset to land.

That will interact with this, for sure and others related.

Given that there are non-init namespaces involved that may not be part
of containers, I would prefer to wait until namespaces are also
optionally documentable in audit events before permitting this change.
A patchset exists, but it has been deferred until the audit container
identifier patchset is settled.
(See https://github.com/linux-audit/audit-kernel/issues/32 )

> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 121d37e700a6..b5cc0669c3d7 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > * userspace will reject all logins. This should be removed when we
> > * support non init namespaces!!
> > */
> > - if (current_user_ns() != &init_user_ns)
> > + /*
> > + * If audit is enabled by kernel command line or audtid in the initial
> > + * namespace allow at least logging of userspace applications inside of
> > + * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
> > + * corresponding namespace.
> > + */
> > + if ((current_user_ns() != &init_user_ns) && !audit_enabled)
> > return -ECONNREFUSED;
> >
> > switch (msg_type) {
> > @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > case AUDIT_USER:
> > case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> > case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> > - if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> > + if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
> > err = -EPERM;
> > break;
> > default: /* bad msg */
> > --
> > 2.20.1
>
> --
> paul moore
> www.paul-moore.com
>

- RGB

--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Next message: Alex Elder: "[PATCH net] net: ipa: memory region array is variable size"
Previous message: Marciniszyn, Mike: "RE: [PATCH rdma-next] RDMA/rdmavt: Decouple QP and SGE lists allocations"
In reply to: Paul Moore: "Re: [PATCH] audit: allow logging of user events in non-initial namespace."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]