Re: [PATCH] netfilter: Record uid and gid in xt_AUDIT

From: Paul Moore
Date: Thu Oct 10 2024 - 15:14:35 EST

Next message: Javier Carrasco: "Re: [PATCH net-next 3/3] net: dsa: mv88e6xxx: leds: fix leds refcount"
Previous message: Taniya Das: "[PATCH v5 0/8] Add support for videocc, camcc, dispcc0 and dispcc1 on Qualcomm SA8775P platform."
In reply to: Florian Westphal: "Re: [PATCH] netfilter: Record uid and gid in xt_AUDIT"
Next in thread: Richard Weinberger: "Re: [PATCH] netfilter: Record uid and gid in xt_AUDIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 10, 2024 at 1:59 PM Florian Westphal <fw@xxxxxxxxx> wrote:
> Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> > Correct me if I'm wrong, but by using from_kXid(&init_user_ns, Xid) we
> > get the ID number that is correct for the init namespace, yes? If so,
> > that's what we want as right now all of the audit records, filters,
> > etc. are intended to be set from the context of the initial namespace.
>
> Seems to be the case, from_kuid() kdoc says
> 'There is always a mapping into the initial user_namespace.'.
>
> I'm confused because of the various means of dealing with this:
> 9847371a84b0 ("netfilter: Allow xt_owner in any user namespace")
>
> Does: make_kgid(net->user_ns, ... and also rejects rule-add if
> net->user_ns != current_user_ns(). As this is for matching userids,
> this makes sense to me, any userns will 'just work' for normal uid/gid
> matching.
>
> a6c6796c7127 ("userns: Convert cls_flow to work with user namespaces enabled")
> Does: from_kuid(&init_user_ns, ... and rejects rule adds if sk_user_ns(NETLINK_CB(in_skb).ssk) != &init_user_ns)
>
> Seems just a more conservative solution to the former one.
>
> 8c6e2a941ae7 ("userns: Convert xt_LOG to print socket kuids and kgids as uids and gids")
> ... which looks like the proposed xt_AUDIT change.
>
> As I do not know what the use case is for xt_AUDIT rules residing in
> another, possibly unprivileged network namespace not managed by root-root user,
> I can't say if its right, but it should do the right thing.
>
> Sorry for the noise.

No worries, it was a fair question and discussion about this is rarely
a bad thing as it can get rather complicated somewhat quickly. With
audit our current philosophy is that we try to do our logging and run
the filters within the context of the host/initial namespace for the
sake of consistency. Of course this introduces some limitations and
"hide" some details specific to a child namespace, but it's the only
solution we could think of that allows the current kernel audit
implementation to behave in a comprehensive and sane manner across all
the various namespace/container solutions.

--
paul-moore.com

Next message: Javier Carrasco: "Re: [PATCH net-next 3/3] net: dsa: mv88e6xxx: leds: fix leds refcount"
Previous message: Taniya Das: "[PATCH v5 0/8] Add support for videocc, camcc, dispcc0 and dispcc1 on Qualcomm SA8775P platform."
In reply to: Florian Westphal: "Re: [PATCH] netfilter: Record uid and gid in xt_AUDIT"
Next in thread: Richard Weinberger: "Re: [PATCH] netfilter: Record uid and gid in xt_AUDIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]