Bug 947530
Summary: | RFE: audit pid namespace is too restrictive | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Richard Guy Briggs <rbriggs> | |
Component: | kernel | Assignee: | Richard Guy Briggs <rbriggs> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | rawhide | CC: | gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, pmoore, rbriggs, sgrubb | |
Target Milestone: | --- | Keywords: | FutureFeature | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Enhancement | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1010455 (view as bug list) | Environment: | ||
Last Closed: | 2017-06-14 21:18:31 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1010455 |
Description
Richard Guy Briggs
2013-04-02 16:37:33 UTC
It is suspected this is the commit responsible (eparis): commit 34e36d8ecbd958bc15f8e63deade1227de337eb1 Author: Eric W. Biederman <ebiederm> Date: Mon Sep 10 23:20:20 2012 -0700 audit: Limit audit requests to processes in the initial pid and user namespaces. 2013-08-06: started work on this 2013-08-20: Posted a 12-patch set RFC to linux-audit and lkml: https://lkml.org/lkml/2013/8/20/638 https://www.redhat.com/archives/linux-audit/2013-August/thread.html *********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs. Fedora 19 has now been rebased to 3.11.1-200.fc19. Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel. If you experience different issues, please open a new bug report for those. *********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs. Fedora 19 has now been rebased to 3.12.6-200.fc19. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 20, and are still experiencing this issue, please change the version to Fedora 20. If you experience different issues, please open a new bug report for those. *********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 20 kernel bugs. Fedora 20 has now been rebased to 3.13.4-200.fc20. Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel. If you experience different issues, please open a new bug report for those. 2014-04-12: merged by Linus upstream 5a3cb3b audit: allow user processes to log from another PID namespace f1dc486 audit: anchor all pid references in the initial pid namespace c92cdeb audit: convert PPIDs to the inital PID namespace. ad36d28 pid: get pid_t ppid of task in init_pid_ns 2014-04-13: Linux 3.15-rc1 So it looks like this is resolved upstream and we can close this BZ, yes? The reason I have left it open is because I still have a couple of related patchsets outstanding. One is a conversion of the kernel audit code from pid_t to struct pid. The other is enhancements to the sched subsystem to support more certainty in recording pid numbers. Both have been posted upstream, but needed some more work which has mostly been done. I just needs rebasing, light testing and reposting. This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22 *********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs. Fedora 22 has now been rebased to 4.2.3-200.fc22. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23. If you experience different issues, please open a new bug report for those. Moving to Rawhide to avoid Fedora MASS BUG UPDATEs. I can't help but wonder if we should transfer this to GitHub and close out this BZ. I'll understand if you don't want to bother with the hassle, but thought it was worth mentioning/asking. * https://github.com/linux-audit/audit-kernel/issues (In reply to Paul Moore from comment #12) > I can't help but wonder if we should transfer this to GitHub and close out > this BZ. I'll understand if you don't want to bother with the hassle, but > thought it was worth mentioning/asking. You have addressed the pid_t to struct pid conversion issues mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=947530#c8 with the upstream commit b6c7c11 ("audit: store the auditd PID as a pid struct instead of pid_t"). The one issue that remains is enhancements to the sched subsystem to support more certainty in recording pid numbers. I'll close this and start a fresh issue just for that. Here's the new issue: https://github.com/linux-audit/audit-kernel/issues/56 |