Re: [PATCH] netfilter: Record uid and gid in xt_AUDIT

[Florian Westphal]

Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> Correct me if I'm wrong, but by using from_kXid(&init_user_ns, Xid) we
> get the ID number that is correct for the init namespace, yes?  If so,
> that's what we want as right now all of the audit records, filters,
> etc. are intended to be set from the context of the initial namespace.

Seems to be the case, from_kuid() kdoc says
'There is always a mapping into the initial user_namespace.'.

I'm confused because of the various means of dealing with this:
9847371a84b0 ("netfilter: Allow xt_owner in any user namespace")

Does: make_kgid(net->user_ns, ... and also rejects rule-add if
net->user_ns != current_user_ns().  As this is for matching userids,
this makes sense to me, any userns will 'just work' for normal uid/gid
matching.

a6c6796c7127 ("userns: Convert cls_flow to work with user namespaces enabled")
Does: from_kuid(&init_user_ns, ... and rejects rule adds if sk_user_ns(NETLINK_CB(in_skb).ssk) != &init_user_ns)

Seems just a more conservative solution to the former one.

8c6e2a941ae7 ("userns: Convert xt_LOG to print socket kuids and kgids as uids and gids")
... which looks like the proposed xt_AUDIT change.

As I do not know what the use case is for xt_AUDIT rules residing in
another, possibly unprivileged network namespace not managed by root-root user,
I can't say if its right, but it should do the right thing.

Sorry for the noise.