[PATCH RFC] audit: provide namespace information in user originated records
Eric Paris
eparis at redhat.com
Wed Mar 20 18:42:04 UTC 2013
On Wed, 2013-03-20 at 13:36 -0500, Serge Hallyn wrote:
> Quoting Aristeu Rozanski (arozansk at redhat.com):
> > This is a bit fuzzy to me, perhaps due I'm not fully understanding
> > userns implementation yet, so bear with me:
> > I thought of changing so userns would not grant CAP_AUDIT_WRITE and
> > CAP_AUDIT_CONTROL unless the process already has it (i.e. it'd require
>
> Seems like CAP_AUDIT_WRITE should be targeted against the
> skb->netns->userns. Then CAP_AUDIT_WRITE can be treated like any other
> capability. Last I knew (long time ago) you had to be in init_user_ns
> to talk audit, but that's ok - this would just do the right thing in
> any case.
kauditd should be considered as existing in the init user namespace. So
I'd think we'd want to check if the process had CAP_AUDIT_WRITE in the
init user namespace and if so, allow it to send messages. Who care what
*ns the process exists in. If it has it in the init namespace, go
ahead. Thus the process that created the container would need
CAP_AUDIT_WRITE in the init namespace for this to all work, right?
/me also gets so confused about what caps mean in the userns world.
(/me has larger issues with the ns concept as a whole, but that boat
sailed years and years ago)
More information about the Linux-audit
mailing list