Received: by 10.223.176.5 with SMTP id f5csp1286221wra; Fri, 2 Feb 2018 14:44:27 -0800 (PST) X-Google-Smtp-Source: AH8x2258l7as+GXVrah+GipBlmLr3kHV0KIxEVaYcEhY+YPGLJaROGfPt00W63iLdG+35hpEioSN X-Received: by 10.98.156.143 with SMTP id u15mr40979573pfk.170.1517611467106; Fri, 02 Feb 2018 14:44:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517611467; cv=none; d=google.com; s=arc-20160816; b=KW0NYPBRRQakYZFXS0yI6L8cS20pJnoN6K3P7FwWVoTRZ+NB4qLOvHU+MZ9MXDQg+U glloKD2jjirHQKIIWux57AjVprrmdue2cUkXUpq5QoOhhDimudbxFQizX9lhY+1w4Rvo bKxD47LVmkuPctLpwIiBmgmjPCrloqB8mqLTQ1X/jUzQZPkS0lbX4yGWwnALeYqkrUpH TwHAHFaETuTQ8qtpXOPCSYJZEM75A2ft7c6iWBJ2ht4WypbO1WCjDoSaxDcrSRS4yviS KNwCyobYjUT2jkPfTJDRrTZJz65laejr6I6axdFQRqscZ+LmudyaNMpGOclB5ktvojyB WBfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=qLQCftmAHT17xyI4/5oJuUyLmVuvRmynwDlg4lZVU5o=; b=U0vYSrjy4zl9CuNM8DqElY0hshP1Uq74UWAK4xWDRQrY/fOM5B72WrqgeovaZiVBHi WPyt47+2p4bMxIYiEB7hAd2l02UwfM7VYuz6lznz4Uis7E2VG9VoDvCtVZ5U81tsBxna Hzk30c4bgC4NGb7+l83m+E5WMuFUc4wsKhRs08ElxsrTovLH/JyK7WRDEMXr29BGfHE8 fFzr7a8EiHa8xf4k6Gbz2q+dwEk6mwOTJNyv523IMHCCkQjievIVBn0xDSWrKohV03Yj cua6xtueW2xRuwoDkQOCbLTbShCwpqbhwvua134nFCjTJS7kckGwTmiCMvojDGzZ2Bqe 4l+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=lvSJbF9i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a15si2032899pgu.722.2018.02.02.14.44.12; Fri, 02 Feb 2018 14:44:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=lvSJbF9i; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752448AbeBBWFd (ORCPT + 99 others); Fri, 2 Feb 2018 17:05:33 -0500 Received: from mail-lf0-f47.google.com ([209.85.215.47]:40131 "EHLO mail-lf0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752218AbeBBWFY (ORCPT ); Fri, 2 Feb 2018 17:05:24 -0500 Received: by mail-lf0-f47.google.com with SMTP id h92so33592818lfi.7 for ; Fri, 02 Feb 2018 14:05:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qLQCftmAHT17xyI4/5oJuUyLmVuvRmynwDlg4lZVU5o=; b=lvSJbF9iGm06mLzRwZQA3NGrvKCm2AX1Aq6VPdljbPJPVmDd2I5YexqA7HcT5Ovu5R PoSG/DcTV1zMJBcHcNRCyjN1RvNen9+QPnUwpao79VtyrrtEFQ5FK/W2SyAeKkqY1p9p pYkZ/s95nziC0tGepWOXbZ4pfxDV0Fgz1Lq5149k8D4N54vL7dMwu2ZkMa7zLcU62q2a Pb/I2Ur4RpAoZJvOi0WxfQS9lOxJq+9Pd1yfAGYq60tj0XCJjNTS0lOlUEiGG15X9CeH JCH/SN93l5xofgRucS3Al09PcKblG2DPC7+jsfRm8qW71WMsb+tPT32V+4eeOicFWZyH R4Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qLQCftmAHT17xyI4/5oJuUyLmVuvRmynwDlg4lZVU5o=; b=sU9mcQaIf6mER4FWRkYg6PA4Mc0fk6nrc1wHql1mrabydwvJ+98T0ZDGpFjGUk2wYA wTVCFIijm7jojR5gZC4JncrFFOArCaArg3pLUR0++vSkNjP9E5Cy5najLaZqix+1i6pp sgGm3lIt1RkZYqDkJ+mpwuamOmP1yMZJ65MDRS6mrx3l4xT32ED7YPIB/x+L49wn+5gv 5qapw+FjnSI/BgGteF6hHc+wILeSKoPv4QPWUIh4VQEYsPkdh42NSBaIVBCdaPurWNj4 n3kJZXtb/0MuUhJJXzvXY/ztxCtHZcf1pV5Z1hOTJ/iAz59tmcNlpntaYZEErz+leT24 NXmg== X-Gm-Message-State: AKwxytcAEBftG7Sj+AsOtQlsUerPhl+KnWyPijvJATHT4D5gVGgH6eSO r2jXLmqIElABGMxF0k/gdwwmA526EzTNK97b+gxj X-Received: by 10.25.219.206 with SMTP id t75mr26686521lfi.125.1517609123216; Fri, 02 Feb 2018 14:05:23 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.216.145 with HTTP; Fri, 2 Feb 2018 14:05:22 -0800 (PST) X-Originating-IP: [108.20.156.165] In-Reply-To: <20180109121620.wi7dq2423ugsraqv@madcap2.tricolour.ca> References: <20180109121620.wi7dq2423ugsraqv@madcap2.tricolour.ca> From: Paul Moore Date: Fri, 2 Feb 2018 17:05:22 -0500 Message-ID: Subject: Re: RFC(V3): Audit Kernel Container IDs To: Richard Guy Briggs Cc: cgroups@vger.kernel.org, Linux Containers , Linux API , Linux Audit , Linux FS Devel , Linux Kernel , Linux Network Development , mszeredi@redhat.com, Andy Lutomirski , jlayton@redhat.com, "Carlos O'Donell" , Al Viro , David Howells , Simo Sorce , trondmy@primarydata.com, Eric Paris , "Serge E. Hallyn" , "Eric W. Biederman" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 9, 2018 at 7:16 AM, Richard Guy Briggs wrote: > Containers are a userspace concept. The kernel knows nothing of them. > > The Linux audit system needs a way to be able to track the container > provenance of events and actions. Audit needs the kernel's help to do > this. Two small comments below, but I tend to think we are at a point where you can start cobbling together some prototype/RFC patches. Surely there are going to be a few changes, and new comments, that come out once we see an initial implementation so let's see what those are. > The registration is a u64 representing the audit container identifier > written to a special file in a pseudo filesystem (proc, since PID tree > already exists) representing a process that will become a parent process > in that container. This write might place restrictions on mount > namespaces required to define a container, or at least careful checking > of namespaces in the kernel to verify permissions of the orchestrator so > it can't change its own container ID. A bind mount of nsfs may be > necessary in the container orchestrator's mount namespace. This write > can only happen once per process. > > Note: The justification for using a u64 is that it minimizes the > information printed in every audit record, reducing bandwidth and limits > comparisons to a single u64 which will be faster and less error-prone. I know Steve generally worries about audit record size, which is a perfectly valid concern in this case, I also worry about the additional overhead when we start routing audit records to multiple audit daemons (see my other emails in this thread). > ... > When a container ceases to exist because the last process in that > container has exited log the fact to balance the registration action. > (This is likely needed for certification accountability.) On the "container ceases to exist" point, I expect this "container dead" message to come from the orchestrator and not the kernel itself (I don't want the kernel to have to handle that level of bookkeeping). I imagine this should be similar to what is done for VM auditing with libvirt. -- paul moore www.paul-moore.com