Description of problem: The check for current vs. initial pid namespace (and likely user namespace) in the audit subsystem causes permission problems for applications using namespaces. The check was initially intended to protect the audit code from namespace errors, but it would seem the correct way would be to translate those namespaces rather than returning an error. Version-Release number of selected component (if applicable): linux-kernel 3.8 (plus Ubuntu 13.04 patches) How reproducible: Always Steps to Reproduce: 1. See https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1160372 2. 3. Actual results: -EPERM Expected results: Success Additional info:
It is suspected this is the commit responsible (eparis): commit 34e36d8ecbd958bc15f8e63deade1227de337eb1 Author: Eric W. Biederman <ebiederm> Date: Mon Sep 10 23:20:20 2012 -0700 audit: Limit audit requests to processes in the initial pid and user namespaces.
2013-08-06: started work on this 2013-08-20: Posted a 12-patch set RFC to linux-audit and lkml: https://lkml.org/lkml/2013/8/20/638 https://www.redhat.com/archives/linux-audit/2013-August/thread.html
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs. Fedora 19 has now been rebased to 3.11.1-200.fc19. Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel. If you experience different issues, please open a new bug report for those.
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs. Fedora 19 has now been rebased to 3.12.6-200.fc19. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 20, and are still experiencing this issue, please change the version to Fedora 20. If you experience different issues, please open a new bug report for those.
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 20 kernel bugs. Fedora 20 has now been rebased to 3.13.4-200.fc20. Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel. If you experience different issues, please open a new bug report for those.
2014-04-12: merged by Linus upstream 5a3cb3b audit: allow user processes to log from another PID namespace f1dc486 audit: anchor all pid references in the initial pid namespace c92cdeb audit: convert PPIDs to the inital PID namespace. ad36d28 pid: get pid_t ppid of task in init_pid_ns 2014-04-13: Linux 3.15-rc1
So it looks like this is resolved upstream and we can close this BZ, yes?
The reason I have left it open is because I still have a couple of related patchsets outstanding. One is a conversion of the kernel audit code from pid_t to struct pid. The other is enhancements to the sched subsystem to support more certainty in recording pid numbers. Both have been posted upstream, but needed some more work which has mostly been done. I just needs rebasing, light testing and reposting.
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs. Fedora 22 has now been rebased to 4.2.3-200.fc22. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23. If you experience different issues, please open a new bug report for those.
Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.
I can't help but wonder if we should transfer this to GitHub and close out this BZ. I'll understand if you don't want to bother with the hassle, but thought it was worth mentioning/asking. * https://github.com/linux-audit/audit-kernel/issues
(In reply to Paul Moore from comment #12) > I can't help but wonder if we should transfer this to GitHub and close out > this BZ. I'll understand if you don't want to bother with the hassle, but > thought it was worth mentioning/asking. You have addressed the pid_t to struct pid conversion issues mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=947530#c8 with the upstream commit b6c7c11 ("audit: store the auditd PID as a pid struct instead of pid_t"). The one issue that remains is enhancements to the sched subsystem to support more certainty in recording pid numbers. I'll close this and start a fresh issue just for that. Here's the new issue: https://github.com/linux-audit/audit-kernel/issues/56