On Tue, 2013-07-30 at 13:22 -0400, Richard Guy Briggs wrote: > On Mon, Jul 22, 2013 at 11:20:57AM +0800, Gao feng wrote: > > On 07/20/2013 05:15 AM, Richard Guy Briggs wrote: > > > On Wed, Jul 17, 2013 at 11:54:21AM +0800, Gao feng wrote: > > >> Hi, Richard > > >> > > >> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote: > > >>> Convert audit from only listening in init_net to use > > >>> register_pernet_subsys() > > >>> to dynamically manage the netlink socket list. > > >>> > > >>> Signed-off-by: Richard Guy Briggs <[email protected]> > > >>> --- > > >> > > >> Right now audit still can't be used in uninit pid/user namespace, > > >> Consider this, when user in uninit pid/user namespace is allowed > > >> to setup/run audit subsystem, since the kernel thread always runs > > >> in init pid namespace, so we can't get right net namespace through > > >> get_net_ns_by_pid, The audit information will be sent to incorrect > > >> net namespace by kernel thread. > > >> > > >> In my opinion, This patch is limited and nonextensile.
I agree completely that this patch is limited and nonextensible. But it gets us where we should already be today. A single global kauditd and a single global auditd. Today if you spawn a new network namespace you cannot send messages to the kernel audit system. You cannot run auditd in uninit network namespace. This is wrong. The kernel should take anything userspace wants to throw at it and it should send messages to auditd no matter where it lives. I see this is a good patch that should go in next window, and will likely get overwritten completely with your future work. Now your patch handles this and so much more. I still detest the idea of tieing the audit namespace to the user namespace. My NAK still stands on any such patches. I'd think that disjoint namespaces (like networking) instead of hierarchical namespaces (like user) would be a lot easier to do. My thoughts have always been about completely disjoint audit namespaces and I may have missed the nuance of some of your discussion because it didn't really dawn on me you seem to have always been discussing hierarchical audit namespace. I'm wondering if we want/need both? If I decide to launch a whole distro inside a container I may not want it to be subject to any of the audit rules of the init namespace. disjoint namespaces are good. You don't seem to allow this, the init namespace audit rules would also apply. I'm not saying hierarchical rules are bad, in fact I might be convinced they are adequate, I just can't bring myself to that conclusion yet. The conclusion I still feel comfortable with is that the user namespace is a whole of bag and I don't want it tied to audit. -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
