From: Steve Grubb <sgrubb@redhat.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, containers@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org, linux-audit@redhat.com,
        eparis@parisplace.org, pmoore@redhat.com, arozansk@redhat.com,
        serge@hallyn.com, zohar@linux.vnet.ibm.com, viro@zeniv.linux.org.uk,
        linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org,
        netdev@vger.kernel.org
Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances
Date: Tue, 05 May 2015 11:16:56 -0400
Message-ID: <1782736.jR73a0QWZa@x2>
Organization: Red Hat
User-Agent: KMail/4.14.6 (Linux/3.19.5-200.fc21.x86_64; KDE/4.14.6; x86_64; ; )
In-Reply-To: <87pp6fhy4c.fsf@x220.int.ebiederm.org>
References: <cover.1429252659.git.rgb@redhat.com> <2487286.y6vyJ9A3er@x2> <87pp6fhy4c.fsf@x220.int.ebiederm.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2808
Lines: 63

On Tuesday, May 05, 2015 09:56:03 AM Eric W. Biederman wrote:
> Steve Grubb <sgrubb@redhat.com> writes:
> > The requirements for auditing of containers should be derived from VPP. In
> > it, it asks for selectable auditing, selective audit, and selective audit
> > review. What this means is that we need the container and all its
> > children to have one identifier that is inserted into all the events that
> > are associated with the container.
> 
> That is technically impossible.  Nested containers exist.

OK, then lets talk about that, too. When something is 2 layers deep, the 
outside world cannot make sense of it. The inner one can be a loopback mounted 
file in the outer one. That means that I need the container itself to be 
responsible for events so that things are recorded using paths, uids, and pids 
that make sense to it. It can enrich the events and send them to the outer 
container.


> That is when container G is nested in container F which is in turn
> nested in container E which is in turn nested in container D which is in
> turn nested in container C which is in turn nested in container B which
> is nested in container A there is no one label you can put on audit
> messages from container G which is the ``correct'' one.
> 
> Or are you proposing that something in container G have labels
> A B C D E F G included on every audit message?

We need to have audit events to either be globally tagged so that the outside 
world understand what happening no matter how deep. Or we need each layer to 
be responsible for itself. This means having an audit rule match engine for 
each namespace like netfilter is to networking.


> That introduces enough complexity in generating and parsing the messages I
> wouldn't trust those messages as the least bug in generation and parsing
> would be a security issue.

That goes with the territory.


> What is the world is VPP?

Virtualization Protection Profile. Before people say it doesn't apply, it kind 
of does. It defines the necessary security mechanisms for either full blown 
virt like QEMU/Xen based or it gives enough wiggle room for containers and 
other types of VMs. Specifically, it defines the audit requirements needed for 
this kind of technology.


> It sounds like something non-public thing. Certainly it has never been a
> part of the public container discussion and as such it appears to be
> completely ridiculous to bring up in a public discussion.

No, its a public thing. Audit requirements start in section 5.2:

https://www.niap-ccevs.org/pp/PP_SV_V1.0/

-Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/