At the moment the kernel audit subsystem sends messages to a netlink unicast socket. These messages are delivered reliably and the kernel may take some negative action (such as a kernel panic) if they are not received and acknowledged. We would like a new multicast netlink socket on which messages are also sent. The current interface may not be changed in ANY way. The systemd journal will be a user of this new interface. Permissions must be enforced on the new interface such that only privelidged processes may get this potentially sensitive information. (This may require some work to determine the permissions on the current audit_socket) I thought it was CAP_AUDIT_READ, but apparently there is no such thing...
I should have accepted this back a month ago...
Created attachment 686259 [details] netlink: add send and receive capability requirement and capability flags This patch was sent to netdev.org this morning for feedback. Currently netlink socket permissions are controlled by the NL_CFG_F_NONROOT_{RECV,SEND} flags in the kernel socket configuration or by the CAP_NET_ADMIN capability of the client. The former allows non-root users access to the socket. The latter allows all network admin clients access to the socket. It would be useful to be able to further restrict this access to send or receive capabilities individually within specific subsystems with a more targetted capability. Two more flags, NL_CFG_F_CAPABILITY_{RECV,SEND}, have been added to specifically require a named capability should the subsystem request it, allowing the client to drop other broad unneeded capabilities.
Created attachment 686801 [details] Test app using basic socket calls This test app uses basic socket calls to test the newly created kaudit netlink multicast socket on the first group created. It drops all capabilities except CAP_AUDIT_READ. It requires libcap-ng-devel. Compile it with: gcc -o audit-multicast-listen -Wall -W -lcap-ng audit-multicast-listen.c
Created attachment 686820 [details] Test app using libnl-3 calls This test app uses libnl-3 calls to test the newly created kaudit netlink multicast socket on the first group created. It drops all capabilities except CAP_AUDIT_READ. It requires libnl3-devel and libcap-ng-devel. Compile it with: gcc -o mulicast-listener -Wall -W -I/usr/include/libnl3/ -lnl-3 -lcap-ng \ mulicast-listener.c There is a bug in libnl3 that causes a segfault, so you will need this patch: http://git.infradead.org/users/tgr/libnl.git/commitdiff/5d53626100f3b747109d4fc05a6d4107b09df642 This is mostly Eric Paris' work.
Patch set was posted to LKML: https://lkml.org/lkml/2013/1/27/279
Eric Paris checked the code in to: http://git.infradead.org/users/eparis/audit.git/
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
march 3rd, 2013: I re-implemented this functionality in Generic Netlink, initially without capabilities checks. It appears the capabilities requirements are no different with Generic Netlink, if not a bit more complex than re-using the audit netlink socket. I'll check a couple of other ideas to see if they may work.
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs. Fedora 19 has now been rebased to 3.11.1-200.fc19. Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel. If you experience different issues, please open a new bug report for those.
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs. Fedora 19 has now been rebased to 3.12.6-200.fc19. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 20, and are still experiencing this issue, please change the version to Fedora 20. If you experience different issues, please open a new bug report for those.
Patch set posted upstream accepted by net subsystem maintainer: https://lkml.org/lkml/2014/4/22/958
Moving to POST. Richard asked if we could grab this for rawhide before it hits Linus' tree. We're going to wait for it to sit in linux-next for a bit but we'll grab it in the not distant future.
Reference test program available: http://people.redhat.com/rbriggs/audit-multicast-listen/
*** Bug 1129709 has been marked as a duplicate of this bug. ***
The patches referenced in comment #11 went into the 3.16 kernel release. Those of you running rawhide or F21 should be able to play with this. F20 will get a 3.16.y rebase soon-ish. Richard does the test application (or anything wishing to use this) require root or other special privs?
CAP_AUDIT_READ , so basically, yes, root.
BTW, I have now added support for this to journald upstream: http://cgit.freedesktop.org/systemd/systemd/commit/?id=875c2e220e2611165e09051c4747971811f1de58 Works very well, but see bug 1160046.