linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Eric Paris <eparis@redhat.com>
Cc: Gao feng <gaofeng@cn.fujitsu.com>,
	containers@lists.linux-foundation.org, serge.hallyn@ubuntu.com,
	linux-kernel@vger.kernel.org, linux-audit@redhat.com,
	ebiederm@xmission.com, matthltc@linux.vnet.ibm.com,
	sgrubb@redhat.com
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit
Date: Thu, 20 Jun 2013 20:45:31 +0000	[thread overview]
Message-ID: <20130620204531.GA3522@mail.hallyn.com> (raw)
In-Reply-To: <1371733353.16587.19.camel@dhcp137-13.rdu.redhat.com>

Quoting Eric Paris (eparis@redhat.com):
> On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote:
> > On 06/20/2013 04:51 AM, Eric Paris wrote:
> > > On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
> > >> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
> > >>> This patchset is first part of namespace support for audit.
> > >>> in this patchset, the mainly resources of audit system have
> > >>> been isolated. the audit filter, rules havn't been isolated
> > >>> now. It will be implemented in Part2. We finished the isolation
> > >>> of user audit message in this patchset.
> > >>>
> > >>> I choose to assign audit to the user namespace.
> > >>> Right now,there are six kinds of namespaces, such as
> > >>> net, mount, ipc, pid, uts and user. the first five
> > >>> namespaces have special usage. the audit isn't suitable to
> > >>> belong to these five namespaces, And since the flag of system
> > >>> call clone is in short supply, we can't provide a new flag such
> > >>> as CLONE_NEWAUDIT to enable audit namespace separately. so the
> > >>> user namespace may be the best choice.
> > >>
> > >> I thought it was said on the last submission that to tie userns and
> > >> audit namespace would be a bad idea?
> > > 
> > > I consider it a non-starter.  unpriv users are allowed to launch their
> > > own user namespace.  The whole point of audit is to have only a priv
> > > user be allowed to make changes.  If you tied audit namespace to user
> > > namespace you grant an unpriv user the ability to modify audit.
> > > 
> > 
> > I understand your views.
> > 
> > But ven the unpriv user are allowed to make changes, they can do no harm.
> > they can only make changes on the audit namespace they created.they can
> > only communicate with the audit namespace they created.
> 
> Imagine I set up my machine to audit all user access to super secret
> information.  With your patch set all an malicious user has to do is
> create a new user namespace.  Now when he accesses the super secret
> information it will be logged inside the user namespace he created.  So
> he can just dump those logs in the trash.

Right, I thought I'd pointed this out last time - it makes LSPP
certification impossible.

> I believe that each audit namespace should require priv
> (CAP_AUDIT_CONTROL) in the user namespace that created the current audit
> namespace.  So lets say the machine boots and we are in the init_user

The problem with this is that ...  people will then hand out
CAP_AUDIT_CONTROL :)

I'd be happier with Eric Biederman's suggestion:  You can create a new
audit namespace, but all of the initial audit namespace's filters still
(separately) apply to you.

-serge

  reply	other threads:[~2013-06-20 20:56 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-19  1:53 [Part1 PATCH 00/22] Add namespace support for audit Gao feng
2013-06-19  1:53 ` [PATCH 01/22] Audit: change type of audit_ever_enabled to bool Gao feng
2013-06-19  1:53 ` [PATCH 02/22] Audit: remove duplicate comments Gao feng
2013-06-19  1:53 ` [PATCH 03/22] Audit: make audit kernel side netlink sock per userns Gao feng
2013-06-19  1:53 ` [PATCH 04/22] netlink: Add compare function for netlink_table Gao feng
2013-06-19  1:53 ` [PATCH 05/22] Audit: implement audit self-defined compare function Gao feng
2013-06-19  1:53 ` [PATCH 06/22] Audit: make audit_skb_queue per user namespace Gao feng
2013-06-19  1:53 ` [PATCH 07/22] Audit: make audit_skb_hold_queue " Gao feng
2013-06-19  1:53 ` [PATCH 08/22] Audit: make kauditd_task " Gao feng
2013-06-19  1:53 ` [PATCH 09/22] Audit: make audit_nlk_portid per user namesapce Gao feng
2013-06-19  1:53 ` [PATCH 10/22] Audit: make audit_enabled per user namespace Gao feng
2013-06-19  1:53 ` [PATCH 11/22] Audit: make audit_ever_enabled " Gao feng
2013-06-19  1:53 ` [PATCH 12/22] Audit: make audit_initialized " Gao feng
2013-06-19  1:53 ` [PATCH 13/22] Audit: only allow init user namespace to change rate limit Gao feng
2013-06-19  1:53 ` [PATCH 14/22] Audit: only allow init user namespace to change audit_failure Gao feng
2013-06-19  1:53 ` [PATCH 15/22] Audit: only allow init user namespace to change backlog_limit Gao feng
2013-06-19  1:53 ` [PATCH 16/22] Audit: make kauditd_wait per user namespace Gao feng
2013-06-19  1:53 ` [PATCH 17/22] Audit: make audit_backlog_wait " Gao feng
2013-06-19  1:53 ` [PATCH 18/22] Audit: introduce new audit logging interface for " Gao feng
2013-06-19  1:53 ` [PATCH 19/22] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-06-19  1:53 ` [PATCH 20/22] Audit: Log audit config change in uninit user namespace Gao feng
2013-06-19  1:53 ` [PATCH 21/22] Audit: send reply message to the auditd in proper " Gao feng
2013-06-19  1:53 ` [PATCH 22/22] Audit: Allow GET,SET,USER MSG operations in uninit " Gao feng
2013-06-19 20:49 ` [Part1 PATCH 00/22] Add namespace support for audit Aristeu Rozanski
2013-06-19 20:51   ` Eric Paris
2013-06-19 21:03     ` Eric W. Biederman
2013-06-20  5:21       ` Gao feng
2013-06-20  3:02     ` Gao feng
2013-06-20  3:09       ` Gao feng
2013-06-20 22:01         ` Eric W. Biederman
2013-06-21  5:15           ` Gao feng
2013-06-24 15:02           ` Aristeu Rozanski
2013-06-24 19:03             ` Eric W. Biederman
2013-06-20 13:02       ` Eric Paris
2013-06-20 20:45         ` Serge E. Hallyn [this message]
2013-06-21  3:48         ` Gao feng
2013-06-21  9:51           ` Daniel J Walsh
2013-06-21 10:49             ` Eric W. Biederman
2013-07-04  3:30           ` Gao feng

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130620204531.GA3522@mail.hallyn.com \
    --to=serge@hallyn.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=eparis@redhat.com \
    --cc=gaofeng@cn.fujitsu.com \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=matthltc@linux.vnet.ibm.com \
    --cc=serge.hallyn@ubuntu.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).