Bug 947530 - audit pid namespace is too restrictive
audit pid namespace is too restrictive
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Richard Guy Briggs
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks: 1010455
  Show dependency treegraph
 
Reported: 2013-04-02 12:37 EDT by Richard Guy Briggs
Modified: 2015-10-21 07:07 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1010455 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1160372 None None None Never

  None (edit)
Description Richard Guy Briggs 2013-04-02 12:37:33 EDT
Description of problem:
The check for current vs. initial pid namespace (and likely user namespace) in the audit subsystem causes permission problems for applications using namespaces.  The check was initially intended to protect the audit code from namespace errors, but it would seem the correct way would be to translate those namespaces rather than returning an error.


Version-Release number of selected component (if applicable):
linux-kernel 3.8 (plus Ubuntu 13.04 patches)


How reproducible:
Always


Steps to Reproduce:
1. See https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1160372
2.
3.
  
Actual results:
-EPERM


Expected results:
Success


Additional info:
Comment 1 Richard Guy Briggs 2013-04-02 12:41:46 EDT
It is suspected this is the commit responsible (eparis):
commit 34e36d8ecbd958bc15f8e63deade1227de337eb1
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Mon Sep 10 23:20:20 2012 -0700
audit: Limit audit requests to processes in the initial pid and user namespaces.
Comment 2 Richard Guy Briggs 2013-08-21 11:12:33 EDT
2013-08-06: started work on this
2013-08-20: Posted a 12-patch set RFC to linux-audit and lkml:
  https://lkml.org/lkml/2013/8/20/638
  https://www.redhat.com/archives/linux-audit/2013-August/thread.html
Comment 3 Josh Boyer 2013-09-18 16:51:10 EDT
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs.

Fedora 19 has now been rebased to 3.11.1-200.fc19.  Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you experience different issues, please open a new bug report for those.
Comment 4 Justin M. Forbes 2014-01-03 17:08:03 EST
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs.

Fedora 19 has now been rebased to 3.12.6-200.fc19.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 20, and are still experiencing this issue, please change the version to Fedora 20.

If you experience different issues, please open a new bug report for those.
Comment 5 Justin M. Forbes 2014-02-24 08:57:52 EST
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 20 kernel bugs.

Fedora 20 has now been rebased to 3.13.4-200.fc20.  Please test this kernel update and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you experience different issues, please open a new bug report for those.
Comment 6 Richard Guy Briggs 2014-09-19 18:02:47 EDT
2014-04-12: merged by Linus upstream
        5a3cb3b audit: allow user processes to log from another PID namespace
        f1dc486 audit: anchor all pid references in the initial pid namespace
        c92cdeb audit: convert PPIDs to the inital PID namespace.
        ad36d28 pid: get pid_t ppid of task in init_pid_ns

2014-04-13:
        Linux 3.15-rc1
Comment 7 Paul Moore 2014-11-06 21:13:58 EST
So it looks like this is resolved upstream and we can close this BZ, yes?
Comment 8 Richard Guy Briggs 2014-11-12 17:33:22 EST
The reason I have left it open is because I still have a couple of
related patchsets outstanding.  One is a conversion of the kernel audit
code from pid_t to struct pid.  The other is enhancements to the sched
subsystem to support more certainty in recording pid numbers.  Both have
been posted upstream, but needed some more work which has mostly been
done.  I just needs rebasing, light testing and reposting.
Comment 9 Jaroslav Reznik 2015-03-03 11:52:23 EST
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 10 Justin M. Forbes 2015-10-20 15:32:09 EDT
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs.

Fedora 22 has now been rebased to 4.2.3-200.fc22.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23.

If you experience different issues, please open a new bug report for those.
Comment 11 Paul Moore 2015-10-20 17:38:01 EDT
Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.

Note You need to log in before you can comment on or make changes to this bug.