On Thu, Oct 10, 2024 at 1:59 PM Florian Westphal <fw@xxxxxxxxx> wrote: > Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > Correct me if I'm wrong, but by using from_kXid(&init_user_ns, Xid) we > > get the ID number that is correct for the init namespace, yes? If so, > > that's what we want as right now all of the audit records, filters, > > etc. are intended to be set from the context of the initial namespace. > > Seems to be the case, from_kuid() kdoc says > 'There is always a mapping into the initial user_namespace.'. > > I'm confused because of the various means of dealing with this: > 9847371a84b0 ("netfilter: Allow xt_owner in any user namespace") > > Does: make_kgid(net->user_ns, ... and also rejects rule-add if > net->user_ns != current_user_ns(). As this is for matching userids, > this makes sense to me, any userns will 'just work' for normal uid/gid > matching. > > a6c6796c7127 ("userns: Convert cls_flow to work with user namespaces enabled") > Does: from_kuid(&init_user_ns, ... and rejects rule adds if sk_user_ns(NETLINK_CB(in_skb).ssk) != &init_user_ns) > > Seems just a more conservative solution to the former one. > > 8c6e2a941ae7 ("userns: Convert xt_LOG to print socket kuids and kgids as uids and gids") > ... which looks like the proposed xt_AUDIT change. > > As I do not know what the use case is for xt_AUDIT rules residing in > another, possibly unprivileged network namespace not managed by root-root user, > I can't say if its right, but it should do the right thing. > > Sorry for the noise. No worries, it was a fair question and discussion about this is rarely a bad thing as it can get rather complicated somewhat quickly. With audit our current philosophy is that we try to do our logging and run the filters within the context of the host/initial namespace for the sake of consistency. Of course this introduces some limitations and "hide" some details specific to a child namespace, but it's the only solution we could think of that allows the current kernel audit implementation to behave in a comprehensive and sane manner across all the various namespace/container solutions. -- paul-moore.com