Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1998725pxj; Sun, 9 May 2021 11:34:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxJvrx3a1NybaHzcdV0OdVeYjIO0NjIBlINDOxCx7Lce1gA36z8NfdAUA3kpj7AwzUaLMm8 X-Received: by 2002:a17:906:2c4c:: with SMTP id f12mr21777824ejh.3.1620585286062; Sun, 09 May 2021 11:34:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620585286; cv=none; d=google.com; s=arc-20160816; b=ckpXcACY4TVP7o8qiu27zuiLjBoqtpwXZB6ZTZyE0OGP+CRH+q5WOjJqYQf6lGpbtr +RMIQ8rFyD0rDlf+6h8eZbs9b6KLZiPmX6A+A/mnbEdFTMbcpGt69rRWOfQuR3rum2N1 sqNewocJ9dcNydTIESL1/114Z5/snQi8bdP9zL80lR1wOTu9US7K/bEbdOjGo34GH9xl upFUffpiY2YttXS0l3ibutcUNlJqY0QLdoUTfnJCaj5hr6OB2d5AQE8QgAKoF0vnkut3 pGqGL4YUNk3B1P98Y8EZSAiAnWPsNzoog7wmwe3n061YIiBOLJxq/q7v3CAsubGkg0LB 4xaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=jMnh4HCUh9oiWlf03A/Xw2x2Fb9cc3IjLA5A8Yt/11Y=; b=HtxGchYUNeriTI+rj4Ewtn1r0VuDekYxZRKX9kjqkQlCtm2HsQOU7IyKj0I0Wg1Giv NO/1BLmN9Uy4sOIFSXD0QrfFKS5UC5CZFT9O6Zm8OJFLqMtWIKi868mkqtZD3CqNMaUN 9Qulol+H796CLkfeYNESf1BxdjuPjMnjlJtyBYJXyuKXe2EpTI60fr6g3LOqhBF124D9 k0oMYzKS8jJUhPkYx5U8wYe1OZz5l6Ls7GC9DR0ZfII9Jp6qSOP7JqvZam520Ta1Gm6T IJ2Xaa41gIFpS+LrmzFS4zYnHJnSPOBtKqXmCxBAiT/qYu5lMncS070t8EwNXVWjLXau XYWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i16si11132334edv.396.2021.05.09.11.34.21; Sun, 09 May 2021 11:34:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229685AbhEISee (ORCPT + 99 others); Sun, 9 May 2021 14:34:34 -0400 Received: from mout.kundenserver.de ([212.227.17.24]:59787 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229662AbhEISee (ORCPT ); Sun, 9 May 2021 14:34:34 -0400 Received: from weisslap.aisec.fraunhofer.de ([188.192.220.174]) by mrelayeu.kundenserver.de (mreue106 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MsIbU-1lMktK3yzi-00tn3a; Sun, 09 May 2021 20:33:25 +0200 From: =?UTF-8?q?Michael=20Wei=C3=9F?= To: michael.weiss@aisec.fraunhofer.de Cc: Richard Guy Briggs , Paul Moore , Eric Paris , linux-audit@redhat.com, linux-kernel@vger.kernel.org Subject: [PATCH] audit: allow logging of user events in non-initial namespace. Date: Sun, 9 May 2021 20:33:19 +0200 Message-Id: <20210509183319.20298-1-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:8va1dg/3tYY7pypvupQ73KUAzH7sZmkxm64W1+FeOAoi2q0M6Is j2r1y4RJIF19JrCe+IWjWaie47e3Pw0a/rgqmXXip5wsGLaDCBEaoPdUXtCB/yoOkx55ZYN 0ATIoKx5yClRMBxIQ34q/XF0TLcH4mQF1IdyWH7OdnMhAz0GRMKxX4Lc43MQYQwA5C4d/xz yV6h+ElMsPbVmG/7C8e9g== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:84PiVkLWRQY=:Y1OTmnl/Ok71BZeNKOEQ/R GBe9IN2Y7DFQOJMBK46lMmGBidUNs8v7el8EEt7zCP6qQ9Rmf0YagZFeVGoW9SQPD/P8nOJHr YAdGAljV4JUbSH4bk1caIT+SVbotZikvH6TRAHiNnAqnE331WVBT2XGabbQ/Z43y7N7jWCBFU 2kyYONtCqHbwTfclb6dPXbmfI+KgJ4PjM/LdBVujwxn/NIoxzdFZQt1leL5mVNS6c+zUrYfpB MELf+gFTvw+vQAYdDo4BUPQnch0lxmYTkH2UwlAvzFxt46sWverQPltPSKE3zSeeYGunUOD/p +udLuLFp5JEYqADkRGSCn1wVgtdA4oL+iXYcHs+3cFMUFGCKssZ9wXQ8UivPehak8hILQnAgr fLFha60U2JqotCDZFVo0M1eKI2DNNIgIphjJwU0QWacOwZyViC5MBg2TsYSphnfErzlz9ds+x BwC2MA4GsqTuSsuG0cs8eP/JruleX+JjuKyIkTtbfLRxS1j6rZ4HZtR1FEvQgCuUpqB4Mv0Ji 0zmvLFdP8h/J9Kmxf1YYk0QSuExBWWt5zucyWAw/fhr Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Audit subsystem was disabled in total for user namespaces other than the initial namespace. If audit is enabled by kernel command line or audtid in initial namespace, it is now possible to allow at least logging of userspace applications inside of non-initial namespaces if CAP_AUDIT_WRITE in the corresponding namespace is held. This allows logging of, e.g., PAM or opensshd inside user namespaced system containers. Signed-off-by: Michael Weiß --- kernel/audit.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 121d37e700a6..b5cc0669c3d7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1012,7 +1012,13 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) * userspace will reject all logins. This should be removed when we * support non init namespaces!! */ - if (current_user_ns() != &init_user_ns) + /* + * If audit is enabled by kernel command line or audtid in the initial + * namespace allow at least logging of userspace applications inside of + * non-initial namespaces according to CAP_AUDIT_WRITE is held in the + * corresponding namespace. + */ + if ((current_user_ns() != &init_user_ns) && !audit_enabled) return -ECONNREFUSED; switch (msg_type) { @@ -1043,7 +1049,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) case AUDIT_USER: case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG: case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2: - if (!netlink_capable(skb, CAP_AUDIT_WRITE)) + if (!netlink_ns_capable(skb, current_user_ns(), CAP_AUDIT_WRITE)) err = -EPERM; break; default: /* bad msg */ -- 2.20.1