Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759765AbbEEQJr (ORCPT ); Tue, 5 May 2015 12:09:47 -0400 Received: from mx1.redhat.com ([209.132.183.28]:51731 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2993346AbbEEPQ5 (ORCPT ); Tue, 5 May 2015 11:16:57 -0400 From: Steve Grubb To: "Eric W. Biederman" Cc: Richard Guy Briggs , containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com, eparis@parisplace.org, pmoore@redhat.com, arozansk@redhat.com, serge@hallyn.com, zohar@linux.vnet.ibm.com, viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances Date: Tue, 05 May 2015 11:16:56 -0400 Message-ID: <1782736.jR73a0QWZa@x2> Organization: Red Hat User-Agent: KMail/4.14.6 (Linux/3.19.5-200.fc21.x86_64; KDE/4.14.6; x86_64; ; ) In-Reply-To: <87pp6fhy4c.fsf@x220.int.ebiederm.org> References: <2487286.y6vyJ9A3er@x2> <87pp6fhy4c.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2808 Lines: 63 On Tuesday, May 05, 2015 09:56:03 AM Eric W. Biederman wrote: > Steve Grubb writes: > > The requirements for auditing of containers should be derived from VPP. In > > it, it asks for selectable auditing, selective audit, and selective audit > > review. What this means is that we need the container and all its > > children to have one identifier that is inserted into all the events that > > are associated with the container. > > That is technically impossible. Nested containers exist. OK, then lets talk about that, too. When something is 2 layers deep, the outside world cannot make sense of it. The inner one can be a loopback mounted file in the outer one. That means that I need the container itself to be responsible for events so that things are recorded using paths, uids, and pids that make sense to it. It can enrich the events and send them to the outer container. > That is when container G is nested in container F which is in turn > nested in container E which is in turn nested in container D which is in > turn nested in container C which is in turn nested in container B which > is nested in container A there is no one label you can put on audit > messages from container G which is the ``correct'' one. > > Or are you proposing that something in container G have labels > A B C D E F G included on every audit message? We need to have audit events to either be globally tagged so that the outside world understand what happening no matter how deep. Or we need each layer to be responsible for itself. This means having an audit rule match engine for each namespace like netfilter is to networking. > That introduces enough complexity in generating and parsing the messages I > wouldn't trust those messages as the least bug in generation and parsing > would be a security issue. That goes with the territory. > What is the world is VPP? Virtualization Protection Profile. Before people say it doesn't apply, it kind of does. It defines the necessary security mechanisms for either full blown virt like QEMU/Xen based or it gives enough wiggle room for containers and other types of VMs. Specifically, it defines the audit requirements needed for this kind of technology. > It sounds like something non-public thing. Certainly it has never been a > part of the public container discussion and as such it appears to be > completely ridiculous to bring up in a public discussion. No, its a public thing. Audit requirements start in section 5.2: https://www.niap-ccevs.org/pp/PP_SV_V1.0/ -Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/