Audit subsystem was disabled in total for user namespaces other than
the initial namespace.
If audit is enabled by kernel command line or audtid in initial namespace,
it is now possible to allow at least logging of userspace applications
inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
namespace is held.
This allows logging of, e.g., PAM or opensshd inside user namespaced
system containers.
Signed-off-by: Michael Weiß <[email protected]>
---
kernel/audit.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 121d37e700a6..b5cc0669c3d7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
* userspace will reject all logins. This should be removed when we
* support non init namespaces!!
*/
- if (current_user_ns() != &init_user_ns)
+ /*
+ * If audit is enabled by kernel command line or audtid in the initial
+ * namespace allow at least logging of userspace applications inside of
+ * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
+ * corresponding namespace.
+ */
+ if ((current_user_ns() != &init_user_ns) && !audit_enabled)
return -ECONNREFUSED;
switch (msg_type) {
@@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
- if (!netlink_capable(skb, CAP_AUDIT_WRITE))
+ if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
err = -EPERM;
break;
default: /* bad msg */
--
2.20.1
On Sun, May 9, 2021 at 2:33 PM Michael Weiß
<[email protected]> wrote:
>
> Audit subsystem was disabled in total for user namespaces other than
> the initial namespace.
>
> If audit is enabled by kernel command line or audtid in initial namespace,
> it is now possible to allow at least logging of userspace applications
> inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
> namespace is held.
>
> This allows logging of, e.g., PAM or opensshd inside user namespaced
> system containers.
>
> Signed-off-by: Michael Weiß <[email protected]>
> ---
> kernel/audit.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
I think this needs to wait on the audit container ID patchset to land.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 121d37e700a6..b5cc0669c3d7 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> * userspace will reject all logins. This should be removed when we
> * support non init namespaces!!
> */
> - if (current_user_ns() != &init_user_ns)
> + /*
> + * If audit is enabled by kernel command line or audtid in the initial
> + * namespace allow at least logging of userspace applications inside of
> + * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
> + * corresponding namespace.
> + */
> + if ((current_user_ns() != &init_user_ns) && !audit_enabled)
> return -ECONNREFUSED;
>
> switch (msg_type) {
> @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> case AUDIT_USER:
> case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> - if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> + if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
> err = -EPERM;
> break;
> default: /* bad msg */
> --
> 2.20.1
--
paul moore
http://www.paul-moore.com
On 2021-05-10 18:48, Paul Moore wrote:
> On Sun, May 9, 2021 at 2:33 PM Michael Wei?
> <[email protected]> wrote:
> >
> > Audit subsystem was disabled in total for user namespaces other than
> > the initial namespace.
> >
> > If audit is enabled by kernel command line or audtid in initial namespace,
> > it is now possible to allow at least logging of userspace applications
> > inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding
> > namespace is held.
> >
> > This allows logging of, e.g., PAM or opensshd inside user namespaced
> > system containers.
> >
> > Signed-off-by: Michael Wei? <[email protected]>
> > ---
> > kernel/audit.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
>
> I think this needs to wait on the audit container ID patchset to land.
That will interact with this, for sure and others related.
Given that there are non-init namespaces involved that may not be part
of containers, I would prefer to wait until namespaces are also
optionally documentable in audit events before permitting this change.
A patchset exists, but it has been deferred until the audit container
identifier patchset is settled.
(See https://github.com/linux-audit/audit-kernel/issues/32 )
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 121d37e700a6..b5cc0669c3d7 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > * userspace will reject all logins. This should be removed when we
> > * support non init namespaces!!
> > */
> > - if (current_user_ns() != &init_user_ns)
> > + /*
> > + * If audit is enabled by kernel command line or audtid in the initial
> > + * namespace allow at least logging of userspace applications inside of
> > + * non-initial namespaces according to CAP_AUDIT_WRITE is held in the
> > + * corresponding namespace.
> > + */
> > + if ((current_user_ns() != &init_user_ns) && !audit_enabled)
> > return -ECONNREFUSED;
> >
> > switch (msg_type) {
> > @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
> > case AUDIT_USER:
> > case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
> > case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
> > - if (!netlink_capable(skb, CAP_AUDIT_WRITE))
> > + if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE))
> > err = -EPERM;
> > break;
> > default: /* bad msg */
> > --
> > 2.20.1
>
> --
> paul moore
> http://www.paul-moore.com
>
- RGB
--
Richard Guy Briggs <[email protected]>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635