[PATCH RFC] audit: provide namespace information in user originated records
Aristeu Rozanski
arozansk at redhat.com
Wed Mar 20 19:17:28 UTC 2013
On Wed, Mar 20, 2013 at 03:01:32PM -0400, Eric Paris wrote:
> [veering away from this particular patch]
>
> We are also talking about adding a CAP_AUDIT_READ and sending messages
> via multicast on the audit socket. The problem is I don't know how the
> audit socket could work in the network namespace world. Right now
> kauditd has:
>
> audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg);
>
> So there won't ever be anything on the kernel side of the audit socket
> in a non-init network namespace. Lets say that is fixed somehow (I
> assume it's possible? something? magic pixies?) I think we'd somehow
> need to do the CAP_AUDIT_READ check against the user namespace
> associated with the network namespace in question? But what messages
> should go to this userspace auditd?
>
> Going to have to have audit namespaces to. But only CAP_AUDIT_READ
> would make sense in the new audit namespace...
I guess that could be achieved by forcing creating a new network namespace at
the same time you create a new audit namespace. any new network
namespace created inside this new container would lose CAP_AUDIT_*.
--
Aristeu
More information about the Containers
mailing list