Bug 887992
| Summary: | Audit messages should be available to the journal | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Eric Paris <eparis> | ||||||||
| Component: | kernel | Assignee: | Richard Guy Briggs <rbriggs> | ||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | rawhide | CC: | gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, zbyszek | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2014-11-06 00:05:27 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Eric Paris
2012-12-17 19:15:40 UTC
I should have accepted this back a month ago... Created attachment 686259 [details]
netlink: add send and receive capability requirement and capability flags
This patch was sent to netdev.org this morning for feedback.
Currently netlink socket permissions are controlled by the
NL_CFG_F_NONROOT_{RECV,SEND} flags in the kernel socket configuration or by the
CAP_NET_ADMIN capability of the client. The former allows non-root users
access to the socket. The latter allows all network admin clients access to
the socket. It would be useful to be able to further restrict this access to
send or receive capabilities individually within specific subsystems with a
more targetted capability. Two more flags, NL_CFG_F_CAPABILITY_{RECV,SEND},
have been added to specifically require a named capability should the subsystem
request it, allowing the client to drop other broad unneeded capabilities.
Created attachment 686801 [details]
Test app using basic socket calls
This test app uses basic socket calls to test the newly created kaudit netlink multicast socket on the first group created. It drops all capabilities except CAP_AUDIT_READ. It requires libcap-ng-devel. Compile it with:
gcc -o audit-multicast-listen -Wall -W -lcap-ng audit-multicast-listen.c
Created attachment 686820 [details] Test app using libnl-3 calls This test app uses libnl-3 calls to test the newly created kaudit netlink multicast socket on the first group created. It drops all capabilities except CAP_AUDIT_READ. It requires libnl3-devel and libcap-ng-devel. Compile it with: gcc -o mulicast-listener -Wall -W -I/usr/include/libnl3/ -lnl-3 -lcap-ng \ mulicast-listener.c There is a bug in libnl3 that causes a segfault, so you will need this patch: http://git.infradead.org/users/tgr/libnl.git/commitdiff/5d53626100f3b747109d4fc05a6d4107b09df642 This is mostly Eric Paris' work. Patch set was posted to LKML: https://lkml.org/lkml/2013/1/27/279 Eric Paris checked the code in to: http://git.infradead.org/users/eparis/audit.git/ This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 march 3rd, 2013: I re-implemented this functionality in Generic Netlink, initially without capabilities checks. It appears the capabilities requirements are no different with Generic Netlink, if not a bit more complex than re-using the audit netlink socket. I'll check a couple of other ideas to see if they may work. *********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs. Fedora 19 has now been rebased to 3.11.1-200.fc19. Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel. If you experience different issues, please open a new bug report for those. *********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs. Fedora 19 has now been rebased to 3.12.6-200.fc19. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 20, and are still experiencing this issue, please change the version to Fedora 20. If you experience different issues, please open a new bug report for those. Patch set posted upstream accepted by net subsystem maintainer:
https://lkml.org/lkml/2014/4/22/958
Moving to POST. Richard asked if we could grab this for rawhide before it hits Linus' tree. We're going to wait for it to sit in linux-next for a bit but we'll grab it in the not distant future. Reference test program available:
http://people.redhat.com/rbriggs/audit-multicast-listen/
*** Bug 1129709 has been marked as a duplicate of this bug. *** The patches referenced in comment #11 went into the 3.16 kernel release. Those of you running rawhide or F21 should be able to play with this. F20 will get a 3.16.y rebase soon-ish. Richard does the test application (or anything wishing to use this) require root or other special privs? CAP_AUDIT_READ , so basically, yes, root. BTW, I have now added support for this to journald upstream: http://cgit.freedesktop.org/systemd/systemd/commit/?id=875c2e220e2611165e09051c4747971811f1de58 Works very well, but see bug 1160046. |