On 11/05/2013 03:51 PM, Gao feng wrote: > Ping... > I want to catch up the merge window.. > On 10/31/2013 11:52 AM, Gao feng wrote: >> Hi Eric Paris, >> >> Can you give me some comments? >> >> You think the tying audit namespace to user namespace is a bad idea, >> so this patchset doesn't assign auditns to userns and introduce an >> new audit netlink type to help to create audit namespace. >> >> and this patchset also introduces an new proc interface to make >> sure container can't influence the whole system. >> >> and the audit rules are not namespace aware, all of audit namespaces >> should comply with the rules. in next step, if we find it's need to >> make audit rules per audit namespace, then it's the time to do that >> job. >> >> This patchset also makes all of net namespaces have ability to send/ >> receive audit netlink message. >> >> I may miss some points, if you find there are some shortage or loophole, >> please let me know. >> >> Thanks! >> >> On 10/24/2013 03:31 PM, Gao feng wrote: >>> Here is the v1 patchset: http://lwn.net/Articles/549546/ >>> >>> The main target of this patchset is allowing user in audit >>> namespace to generate the USER_MSG type of audit message, >>> some userspace tools need to generate audit message, or >>> these tools will broken. >>> >>> And the login process in container may want to setup >>> /proc/<pid>/loginuid, right now this value is unalterable >>> once it being set. this will also broke the login problem >>> in container. After this patchset, we can reset this loginuid >>> to zero if task is running in a new audit namespace. >>> >>> Same with v1 patchset, in this patchset, only the privileged >>> user in init_audit_ns and init_user_ns has rights to >>> add/del audit rules. and these rules are gloabl. all >>> audit namespace will comply with the rules. >>> >>> Compared with v1, v2 patch has some big changes. >>> 1, the audit namespace is not assigned to user namespace. >>> since there is no available bit of flags for clone, we >>> create audit namespace through netlink, patch[18/20] >>> introduces a new audit netlink type AUDIT_CREATE_NS. >>> the privileged user in userns has rights to create a >>> audit namespace, it means the unprivileged user can >>> create auditns through create userns first. In order >>> to prevent them from doing harm to host, the default >>> audit_backlog_limit of un-init-audit-ns is zero(means >>> audit is unavailable in audit namespace). and it can't >>> be changed in auditns through netlink. >>> >>> 2, introduce /proc/<pid>/audit_log_limit >>> this interface is used to setup log_limit of audit >>> namespace. we need this interface to make audit >>> available in un-init-audit-ns. Only the privileged user >>> has right to set this value, it means only the root user >>> of host can change it. >>> >>> 3, make audit namespace don't depend on net namespace. >>> patch[1/20] add a compare function audit_compare for >>> audit netlink, it always return true, it means the >>> netlink subsystem will find out the netlink socket >>> only through portid and netlink type. So we needn't >>> to create kernel side audit netlink socket for per >>> net namespace, all userspace audit netlink socket >>> can find out the audit_sock, and audit_sock can >>> communicate with them through the proper portid. >>> it's just like the behavior we don't have net >>> namespace before. >>> >>> >>> This patchset still need some work, such as allow changing >>> audit_enabled in audit namespace, auditd wants this feature. >>> >>> I send this patchset now in order to get more comments, so >>> I can keep on improving namespace support for audit. >>> >>> Gao feng (20): >>> Audit: make audit netlink socket net namespace unaware >>> audit: introduce configure option CONFIG_AUDIT_NS >>> audit: make audit_skb_queue per audit namespace >>> audit: make audit_skb_hold_queue per audit namespace >>> audit: make audit_pid per audit namespace >>> audit: make kauditd_task per audit namespace >>> aduit: make audit_nlk_portid per audit namespace >>> audit: make kaudit_wait queue per audit namespace >>> audit: make audit_backlog_wait per audit namespace >>> audit: allow un-init audit ns to change pid and portid only >>> audit: use proper audit namespace in audit_receive_msg >>> audit: use proper audit_namespace in kauditd_thread >>> audit: introduce new audit logging interface for audit namespace >>> audit: pass proper audit namespace to audit_log_common_recv_msg >>> audit: Log audit pid config change in audit namespace >>> audit: allow GET,SET,USER MSG operations in audit namespace >>> nsproxy: don't make create_new_namespaces static >>> audit: add new message type AUDIT_CREATE_NS >>> audit: make audit_backlog_limit per audit namespace >>> audit: introduce /proc/<pid>/audit_backlog_limit >>> >>> fs/proc/base.c | 53 ++++++ >>> include/linux/audit.h | 26 ++- >>> include/linux/audit_namespace.h | 92 ++++++++++ >>> include/linux/nsproxy.h | 15 +- >>> include/uapi/linux/audit.h | 1 + >>> init/Kconfig | 10 ++ >>> kernel/Makefile | 2 +- >>> kernel/audit.c | 364 +++++++++++++++++++++++++--------------- >>> kernel/audit.h | 5 +- >>> kernel/audit_namespace.c | 123 ++++++++++++++ >>> kernel/auditsc.c | 6 +- >>> kernel/nsproxy.c | 18 +- >>> 12 files changed, 561 insertions(+), 154 deletions(-) >>> create mode 100644 include/linux/audit_namespace.h >>> create mode 100644 kernel/audit_namespace.c >>> >> >> > > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
