Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> Correct me if I'm wrong, but by using from_kXid(&init_user_ns, Xid) we
> get the ID number that is correct for the init namespace, yes? If so,
> that's what we want as right now all of the audit records, filters,
> etc. are intended to be set from the context of the initial namespace.
Seems to be the case, from_kuid() kdoc says
'There is always a mapping into the initial user_namespace.'.
I'm confused because of the various means of dealing with this:
9847371a84b0 ("netfilter: Allow xt_owner in any user namespace")
Does: make_kgid(net->user_ns, ... and also rejects rule-add if
net->user_ns != current_user_ns(). As this is for matching userids,
this makes sense to me, any userns will 'just work' for normal uid/gid
matching.
a6c6796c7127 ("userns: Convert cls_flow to work with user namespaces enabled")
Does: from_kuid(&init_user_ns, ... and rejects rule adds if sk_user_ns(NETLINK_CB(in_skb).ssk) != &init_user_ns)
Seems just a more conservative solution to the former one.
8c6e2a941ae7 ("userns: Convert xt_LOG to print socket kuids and kgids as uids and gids")
... which looks like the proposed xt_AUDIT change.
As I do not know what the use case is for xt_AUDIT rules residing in
another, possibly unprivileged network namespace not managed by root-root user,
I can't say if its right, but it should do the right thing.
Sorry for the noise.
