* [PATCH] audit: allow logging of user events in non-initial namespace.
@ 2021-05-09 18:33 ` Michael Weiß
0 siblings, 0 replies; 6+ messages in thread
From: Michael Weiß @ 2021-05-09 18:33 UTC (permalink / raw)
To: michael.weiss
Cc: Richard Guy Briggs, Paul Moore, Eric Paris, linux-audit, linux-kernel
Audit subsystem was disabled in total for user namespaces other than
the initial namespace.
If audit is enabled by kernel command line or audtid in initial namespace,
it is now possible to allow at least logging of userspace applications
inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
namespace is held.
This allows logging of, e.g., PAM or opensshd inside user namespaced
system containers.
Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
---
kernel/audit.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 121d37e700a6..b5cc0669c3d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
* userspace will reject all logins. This should be removed when we
* support non init namespaces!!
*/
- if (current_user_ns() != &init_user_ns)
+ /*
+ * If audit is enabled by kernel command line or audtid in the initial
+ * namespace allow at least logging of userspace applications inside of
+ * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
+ * corresponding namespace.
+ */
+ if ((current_user_ns() != &init_user_ns) && !audit_enabled)
return -ECONNREFUSED;
switch (msg_type) {
@@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
- if (!netlink_capable(skb, CAP_AUDIT_WRITE))
+ if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
err = -EPERM;
break;
default: /* bad msg */
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] audit: allow logging of user events in non-initial namespace.
@ 2021-05-09 18:33 ` Michael Weiß
0 siblings, 0 replies; 6+ messages in thread
From: Michael Weiß @ 2021-05-09 18:33 UTC (permalink / raw)
To: michael.weiss; +Cc: Richard Guy Briggs, linux-audit, Eric Paris, linux-kernel
Audit subsystem was disabled in total for user namespaces other than
the initial namespace.
If audit is enabled by kernel command line or audtid in initial namespace,
it is now possible to allow at least logging of userspace applications
inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
namespace is held.
This allows logging of, e.g., PAM or opensshd inside user namespaced
system containers.
Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
---
kernel/audit.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 121d37e700a6..b5cc0669c3d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
* userspace will reject all logins. This should be removed when we
* support non init namespaces!!
*/
- if (current_user_ns() != &init_user_ns)
+ /*
+ * If audit is enabled by kernel command line or audtid in the initial
+ * namespace allow at least logging of userspace applications inside of
+ * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
+ * corresponding namespace.
+ */
+ if ((current_user_ns() != &init_user_ns) && !audit_enabled)
return -ECONNREFUSED;
switch (msg_type) {
@@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
- if (!netlink_capable(skb, CAP_AUDIT_WRITE))
+ if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
err = -EPERM;
break;
default: /* bad msg */
--
2.20.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] audit: allow logging of user events in non-initial namespace.
2021-05-09 18:33 ` Michael Weiß
@ 2021-05-10 22:48 ` Paul Moore
-1 siblings, 0 replies; 6+ messages in thread
From: Paul Moore @ 2021-05-10 22:48 UTC (permalink / raw)
To: Michael Weiß
Cc: Richard Guy Briggs, Eric Paris, linux-audit, linux-kernel
On Sun, May 9, 2021 at 2:33 PM Michael Weiß
<michael.weiss@aisec.fraunhofer.de> wrote:
>
> Audit subsystem was disabled in total for user namespaces other than
> the initial namespace.
>
> If audit is enabled by kernel command line or audtid in initial namespace,
> it is now possible to allow at least logging of userspace applications
> inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
> namespace is held.
>
> This allows logging of, e.g., PAM or opensshd inside user namespaced
> system containers.
>
> Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
> ---
> kernel/audit.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
I think this needs to wait on the audit container ID patchset to land.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 121d37e700a6..b5cc0669c3d7 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> * userspace will reject all logins. This should be removed when we
> * support non init namespaces!!
> */
> - if (current_user_ns() != &init_user_ns)
> + /*
> + * If audit is enabled by kernel command line or audtid in the initial
> + * namespace allow at least logging of userspace applications inside of
> + * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
> + * corresponding namespace.
> + */
> + if ((current_user_ns() != &init_user_ns) && !audit_enabled)
> return -ECONNREFUSED;
>
> switch (msg_type) {
> @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> case AUDIT_USER:
> case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> - if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> + if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
> err = -EPERM;
> break;
> default: /* bad msg */
> --
> 2.20.1
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] audit: allow logging of user events in non-initial namespace.
@ 2021-05-10 22:48 ` Paul Moore
0 siblings, 0 replies; 6+ messages in thread
From: Paul Moore @ 2021-05-10 22:48 UTC (permalink / raw)
To: Michael Weiß
Cc: Richard Guy Briggs, linux-audit, linux-kernel, Eric Paris
On Sun, May 9, 2021 at 2:33 PM Michael Weiß
<michael.weiss@aisec.fraunhofer.de> wrote:
>
> Audit subsystem was disabled in total for user namespaces other than
> the initial namespace.
>
> If audit is enabled by kernel command line or audtid in initial namespace,
> it is now possible to allow at least logging of userspace applications
> inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
> namespace is held.
>
> This allows logging of, e.g., PAM or opensshd inside user namespaced
> system containers.
>
> Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
> ---
> kernel/audit.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
I think this needs to wait on the audit container ID patchset to land.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 121d37e700a6..b5cc0669c3d7 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> * userspace will reject all logins. This should be removed when we
> * support non init namespaces!!
> */
> - if (current_user_ns() != &init_user_ns)
> + /*
> + * If audit is enabled by kernel command line or audtid in the initial
> + * namespace allow at least logging of userspace applications inside of
> + * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
> + * corresponding namespace.
> + */
> + if ((current_user_ns() != &init_user_ns) && !audit_enabled)
> return -ECONNREFUSED;
>
> switch (msg_type) {
> @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> case AUDIT_USER:
> case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> - if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> + if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
> err = -EPERM;
> break;
> default: /* bad msg */
> --
> 2.20.1
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] audit: allow logging of user events in non-initial namespace.
2021-05-10 22:48 ` Paul Moore
@ 2021-05-11 19:40 ` Richard Guy Briggs
-1 siblings, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2021-05-11 19:40 UTC (permalink / raw)
To: Paul Moore; +Cc: Michael Weiß, Eric Paris, linux-audit, linux-kernel
On 2021-05-10 18:48, Paul Moore wrote:
> On Sun, May 9, 2021 at 2:33 PM Michael Weiß
> <michael.weiss@aisec.fraunhofer.de> wrote:
> >
> > Audit subsystem was disabled in total for user namespaces other than
> > the initial namespace.
> >
> > If audit is enabled by kernel command line or audtid in initial namespace,
> > it is now possible to allow at least logging of userspace applications
> > inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
> > namespace is held.
> >
> > This allows logging of, e.g., PAM or opensshd inside user namespaced
> > system containers.
> >
> > Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
> > ---
> > kernel/audit.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
>
> I think this needs to wait on the audit container ID patchset to land.
That will interact with this, for sure and others related.
Given that there are non-init namespaces involved that may not be part
of containers, I would prefer to wait until namespaces are also
optionally documentable in audit events before permitting this change.
A patchset exists, but it has been deferred until the audit container
identifier patchset is settled.
(See https://github.com/linux-audit/audit-kernel/issues/32 )
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 121d37e700a6..b5cc0669c3d7 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > * userspace will reject all logins. This should be removed when we
> > * support non init namespaces!!
> > */
> > - if (current_user_ns() != &init_user_ns)
> > + /*
> > + * If audit is enabled by kernel command line or audtid in the initial
> > + * namespace allow at least logging of userspace applications inside of
> > + * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
> > + * corresponding namespace.
> > + */
> > + if ((current_user_ns() != &init_user_ns) && !audit_enabled)
> > return -ECONNREFUSED;
> >
> > switch (msg_type) {
> > @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > case AUDIT_USER:
> > case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> > case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> > - if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> > + if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
> > err = -EPERM;
> > break;
> > default: /* bad msg */
> > --
> > 2.20.1
>
> --
> paul moore
> www.paul-moore.com
>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] audit: allow logging of user events in non-initial namespace.
@ 2021-05-11 19:40 ` Richard Guy Briggs
0 siblings, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2021-05-11 19:40 UTC (permalink / raw)
To: Paul Moore; +Cc: Michael Weiß, linux-audit, linux-kernel, Eric Paris
On 2021-05-10 18:48, Paul Moore wrote:
> On Sun, May 9, 2021 at 2:33 PM Michael Weiß
> <michael.weiss@aisec.fraunhofer.de> wrote:
> >
> > Audit subsystem was disabled in total for user namespaces other than
> > the initial namespace.
> >
> > If audit is enabled by kernel command line or audtid in initial namespace,
> > it is now possible to allow at least logging of userspace applications
> > inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
> > namespace is held.
> >
> > This allows logging of, e.g., PAM or opensshd inside user namespaced
> > system containers.
> >
> > Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
> > ---
> > kernel/audit.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
>
> I think this needs to wait on the audit container ID patchset to land.
That will interact with this, for sure and others related.
Given that there are non-init namespaces involved that may not be part
of containers, I would prefer to wait until namespaces are also
optionally documentable in audit events before permitting this change.
A patchset exists, but it has been deferred until the audit container
identifier patchset is settled.
(See https://github.com/linux-audit/audit-kernel/issues/32 )
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 121d37e700a6..b5cc0669c3d7 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > * userspace will reject all logins. This should be removed when we
> > * support non init namespaces!!
> > */
> > - if (current_user_ns() != &init_user_ns)
> > + /*
> > + * If audit is enabled by kernel command line or audtid in the initial
> > + * namespace allow at least logging of userspace applications inside of
> > + * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
> > + * corresponding namespace.
> > + */
> > + if ((current_user_ns() != &init_user_ns) && !audit_enabled)
> > return -ECONNREFUSED;
> >
> > switch (msg_type) {
> > @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > case AUDIT_USER:
> > case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> > case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> > - if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> > + if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
> > err = -EPERM;
> > break;
> > default: /* bad msg */
> > --
> > 2.20.1
>
> --
> paul moore
> www.paul-moore.com
>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-05-11 19:40 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-09 18:33 [PATCH] audit: allow logging of user events in non-initial namespace Michael Weiß
2021-05-09 18:33 ` Michael Weiß
2021-05-10 22:48 ` Paul Moore
2021-05-10 22:48 ` Paul Moore
2021-05-11 19:40 ` Richard Guy Briggs
2021-05-11 19:40 ` Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.