From: Gao feng <gaofeng@cn.fujitsu.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
containers@lists.linux-foundation.org, serge.hallyn@ubuntu.com,
linux-kernel@vger.kernel.org, linux-audit@redhat.com,
ebiederm@xmission.com
Subject: Re: [RFC Part1 PATCH 00/20 v2] Add namespace support for audit
Date: Tue, 24 Dec 2013 17:53:19 +0800 [thread overview]
Message-ID: <52B9598F.2070203@cn.fujitsu.com> (raw)
In-Reply-To: <20131223234723.GA23101@madcap2.tricolour.ca>
On 12/24/2013 07:47 AM, Richard Guy Briggs wrote:
> On 13/12/09, Gao feng wrote:
>> On 12/07/2013 05:31 AM, Serge E. Hallyn wrote:
>>> Quoting Gao feng (gaofeng@cn.fujitsu.com):
>
>>>> The main target of this patchset is allowing user in audit
>>>> namespace to generate the USER_MSG type of audit message,
>>>> some userspace tools need to generate audit message, or
>>>> these tools will broken.
>>>>
>>>> And the login process in container may want to setup
>>>> /proc/<pid>/loginuid, right now this value is unalterable
>>>> once it being set. this will also broke the login problem
>>>> in container. After this patchset, we can reset this loginuid
>>>> to zero if task is running in a new audit namespace.
>>>>
>>>> Same with v1 patchset, in this patchset, only the privileged
>>>> user in init_audit_ns and init_user_ns has rights to
>>>> add/del audit rules. and these rules are gloabl. all
>>>> audit namespace will comply with the rules.
>>>>
>>>> Compared with v1, v2 patch has some big changes.
>>>> 1, the audit namespace is not assigned to user namespace.
>>>> since there is no available bit of flags for clone, we
>>>> create audit namespace through netlink, patch[18/20]
>>>> introduces a new audit netlink type AUDIT_CREATE_NS.
>>>> the privileged user in userns has rights to create a
>>>> audit namespace, it means the unprivileged user can
>>>> create auditns through create userns first. In order
>>>> to prevent them from doing harm to host, the default
>>>> audit_backlog_limit of un-init-audit-ns is zero(means
>>>> audit is unavailable in audit namespace). and it can't
>>>> be changed in auditns through netlink.
>>>
>>> So the unprivileged user can create an audit-ns, but can't
>>> then actually send any messages there? I guess setting it
>>> to something small would just be hacky?
>>
>> Yes, if unprivileged user wants to send audit message, he should
>> ask privileged user to setup the audit_backlog_limit for him.
>>
>> I know it's a little of hack, but I don't have good idea :(
>
> There's a recent patch that actually clarifies the way
> audit_backlog_limit works, since different parts of the code seemed to
> think different things. It now means unlimited, since there are other
> places to shut off logging.
> audit: allow unlimited backlog queue
Yep, thanks for your information, we can set a negative number to backlog_limit
to mark there is no available buff for this audit ns.
>
> At first, I'd say each audit_ns should be able to set its own
> audit_backlog_limit. The most obvious argument against this would be
> the vulnerability of a DoS.
There are two problem we should conside, auditns costs lot's of memory by
setting large backlog_limit and costs lot's of cpu resources by generating
audit log all the time. So I think the privileged user should have the ability
to limit the backlog len.
And I think it's not very necessary to keep on allowing auditns to set its own
audit_backlog_limit. if you think this is necessary, we can add a field max_backlog_limit
for per audit namespace. and set this value when we create auditns.
And seem like the audit_rate_limit should not be change by unprivileged user.
I don't know if I really follow your request...
> Could there be some automatic metrics to
> set sub audit_ns backlog limits, such as default to the same as
> init_audit_ns and have the init_audit_ns override those defaults?
> Could this be done per user like ulimiit?
>
I think something like ulimit cannot help us.
we should set sub-auditns's backlog_limit in parent auditns..
so maybe the proc file is the best way.
prev parent reply other threads:[~2013-12-24 9:52 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-24 7:31 [RFC Part1 PATCH 00/20 v2] Add namespace support for audit Gao feng
2013-10-24 7:31 ` [PATCH 01/20] Audit: make audit netlink socket net namespace unaware Gao feng
2013-10-24 7:31 ` [PATCH 02/20] audit: introduce configure option CONFIG_AUDIT_NS Gao feng
2013-10-24 7:31 ` [PATCH 03/20] audit: make audit_skb_queue per audit namespace Gao feng
2013-10-24 7:31 ` [PATCH 04/20] audit: make audit_skb_hold_queue " Gao feng
2013-10-24 7:31 ` [PATCH 05/20] audit: make audit_pid " Gao feng
2013-10-24 7:31 ` [PATCH 06/20] audit: make kauditd_task " Gao feng
2013-10-24 7:31 ` [PATCH 07/20] aduit: make audit_nlk_portid " Gao feng
2013-10-24 7:31 ` [PATCH 08/20] audit: make kaudit_wait queue " Gao feng
2013-10-24 7:31 ` [PATCH 09/20] audit: make audit_backlog_wait " Gao feng
2013-10-24 7:31 ` [PATCH 10/20] audit: allow un-init audit ns to change pid and portid only Gao feng
2013-10-24 7:31 ` [PATCH 11/20] audit: use proper audit namespace in audit_receive_msg Gao feng
2013-10-24 7:31 ` [PATCH 12/20] audit: use proper audit_namespace in kauditd_thread Gao feng
2013-10-24 7:31 ` [PATCH 13/20] audit: introduce new audit logging interface for audit namespace Gao feng
2013-10-24 7:31 ` [PATCH 14/20] audit: pass proper audit namespace to audit_log_common_recv_msg Gao feng
2013-10-24 7:32 ` [PATCH 15/20] audit: Log audit pid config change in audit namespace Gao feng
2013-10-24 7:32 ` [PATCH 16/20] audit: allow GET,SET,USER MSG operations " Gao feng
2013-12-06 22:00 ` [PATCH 16/20] audit: allow GET, SET, USER " Serge E. Hallyn
2013-12-09 1:47 ` Gao feng
2013-10-24 7:32 ` [PATCH 17/20] nsproxy: don't make create_new_namespaces static Gao feng
2013-10-24 7:32 ` [PATCH 18/20] audit: add new message type AUDIT_CREATE_NS Gao feng
2013-12-06 22:10 ` Serge E. Hallyn
2013-12-09 1:59 ` Gao feng
2013-12-09 17:53 ` Serge Hallyn
2013-12-10 5:34 ` Gao feng
2013-10-24 7:32 ` [PATCH 19/20] audit: make audit_backlog_limit per audit namespace Gao feng
2013-10-24 7:32 ` [PATCH 20/20] audit: introduce /proc/<pid>/audit_backlog_limit Gao feng
2013-10-31 3:52 ` [RFC Part1 PATCH 00/20 v2] Add namespace support for audit Gao feng
2013-11-05 7:51 ` Gao feng
2013-11-05 7:52 ` Gao feng
2013-11-05 8:11 ` Li Zefan
2013-11-05 8:56 ` Gao feng
2013-11-05 19:14 ` Richard Guy Briggs
2013-11-07 5:51 ` Gao feng
2013-11-21 7:57 ` Gao feng
2013-12-04 8:31 ` Gao feng
2013-12-06 22:12 ` Serge E. Hallyn
2013-12-09 2:06 ` Gao feng
2013-12-09 18:26 ` Serge Hallyn
2013-12-10 8:16 ` Gao feng
2013-12-10 16:51 ` Serge Hallyn
2013-12-10 19:50 ` Eric Paris
2013-12-10 20:36 ` Serge E. Hallyn
2013-12-16 3:39 ` Gao feng
2013-12-20 21:15 ` Serge E. Hallyn
2013-12-24 9:32 ` Gao feng
2013-12-06 21:31 ` Serge E. Hallyn
2013-12-09 2:29 ` Gao feng
2013-12-23 23:47 ` Richard Guy Briggs
2013-12-24 9:53 ` Gao feng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52B9598F.2070203@cn.fujitsu.com \
--to=gaofeng@cn.fujitsu.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=serge.hallyn@ubuntu.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).