[PATCH] audit: allow logging of user events in non-initial namespace.

Richard Guy Briggs rgb at redhat.com
Tue May 11 19:40:28 UTC 2021 

On 2021-05-10 18:48, Paul Moore wrote:
> On Sun, May 9, 2021 at 2:33 PM Michael Weiß
> <michael.weiss at aisec.fraunhofer.de> wrote:
> >
> > Audit subsystem was disabled in total for user namespaces other than
> > the initial namespace.
> >
> > If audit is enabled by kernel command line or audtid in initial namespace,
> > it is now possible to allow at least logging of userspace applications
> > inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
> > namespace is held.
> >
> > This allows logging of, e.g., PAM or opensshd inside user namespaced
> > system containers.
> >
> > Signed-off-by: Michael Weiß <michael.weiss at aisec.fraunhofer.de>
> > ---
> >  kernel/audit.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> I think this needs to wait on the audit container ID patchset to land.

That will interact with this, for sure and others related.

Given that there are non-init namespaces involved that may not be part
of containers, I would prefer to wait until namespaces are also
optionally documentable in audit events before permitting this change.
A patchset exists, but it has been deferred until the audit container
identifier patchset is settled.
(See https://github.com/linux-audit/audit-kernel/issues/32 )

> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 121d37e700a6..b5cc0669c3d7 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> >          * userspace will reject all logins.  This should be removed when we
> >          * support non init namespaces!!
> >          */
> > -       if (current_user_ns() != &init_user_ns)
> > +       /*
> > +        * If audit is enabled by kernel command line or audtid in the initial
> > +        * namespace allow at least logging of userspace applications inside of
> > +        * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
> > +        * corresponding namespace.
> > +        */
> > +       if ((current_user_ns() != &init_user_ns) && !audit_enabled)
> >                 return -ECONNREFUSED;
> >
> >         switch (msg_type) {
> > @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> >         case AUDIT_USER:
> >         case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> >         case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> > -               if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> > +               if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
> >                         err = -EPERM;
> >                 break;
> >         default:  /* bad msg */
> > --
> > 2.20.1
> 
> -- 
> paul moore
> www.paul-moore.com
> 

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list