Received: by 10.223.176.5 with SMTP id f5csp982181wra; Sat, 3 Feb 2018 15:06:24 -0800 (PST) X-Google-Smtp-Source: AH8x224yxaSs/RSnLmUKm/ucJyGAIBEW1V44xXue0kFS5MpkNm40ky1Gnuyw04lK56f66w/U3+MX X-Received: by 10.101.66.72 with SMTP id d8mr8466735pgq.211.1517699184000; Sat, 03 Feb 2018 15:06:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517699183; cv=none; d=google.com; s=arc-20160816; b=HvgdtOHH+qwHWP4rzm41+pmA67jJzsgTLGw+i6eQ5xpFTdOvVeFj16sKhYDI9h7G3C 9FK6oByRfg+Ny1rtlFgEGM9p640OIJdFpfbltWOXrhvxRseyY4di2D7pQ9CXj4gC6Yse 2W58cKOLyGUIDubZFrm3h37RuPi3Q4bJag7mf9QBc9iNOawyx1JTtkwqgxSLmgKObkTD 0TLYSarHEiVfq5ULQrvZrZeSmwVO/Wdw85e+XG0ca4ot0mv11uVmXQ2kqpV0z1hTK9DC gJTaHZkTwcVih0XIFgCq3wBIenYEYoR9Gwg+rD3iMdzHMxY5QFw5QtV1EtgGT2t3vLgu LC6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=IYM5o3W8G6E4WvA15s1KEpEQwKD6nfM3aPcAvHV9CMc=; b=U7kMCEoVvkC08UBFt+XCt1/y/PkqCH/fdDhCM6lZ7CxdOMKRlbOBxaU2SkxYMWoXPZ LBK6XzT1ziyycg708M4XJnOeUdB3l7hLY4i+1U6cLkhl9LwxgE9JHXivlpynZ6VNDkiM OPujA71LaflysZ0m60NSSoxdNUAF5dO7B43GyR64eTqGjfItSvhq4Ua4myWA9QDxdvnA lCODIDsYbA2OmNJMQGkwByy1fFwIiUjYBctN+s0LBApHMfJ0HAZe/zt/LElpdwtET/eW o9zqcb9Gg9WGbTGRNLNFcCrtRnH4Wr0fh5sq1T6PcQJPxvGYzeJ6doqN7oeu40pl1o/c X3Sw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=PzoHyIIh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r14si359772pgs.213.2018.02.03.15.06.09; Sat, 03 Feb 2018 15:06:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=PzoHyIIh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752922AbeBCTFf (ORCPT + 99 others); Sat, 3 Feb 2018 14:05:35 -0500 Received: from sonic310-20.consmr.mail.bf2.yahoo.com ([74.6.135.194]:33755 "EHLO sonic310-20.consmr.mail.bf2.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752742AbeBCTF3 (ORCPT ); Sat, 3 Feb 2018 14:05:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1517684728; bh=IYM5o3W8G6E4WvA15s1KEpEQwKD6nfM3aPcAvHV9CMc=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=PzoHyIIhx5F/B9/KQ53a4DvmqxMwyUF8FqCrygRT8iIGN2pqlZeV/w1ira0F237WEXW39V5OC0CSwSXF/xaqxv2DBiDye3SqJoQoZehZq8t0+I5Tz28Pv55os/gCOq6XJHZ6K71tGp28gULVFKu03Wf0LPRmJu3732LChrTKi9q7dD7JKlj36rENq9Ob6Blo6M/woRn7nd55iBQ7I8CaWNpkaI3PMnrMlNubBQN/fSaYvTZWziiSH76NTQ9wf6W7jRvUrHs8v32xwvCeEP5kDIwZXKVWK48I3TH7MzsfdFgVwfOYZllqiBNXlVboKFHmC2MGkVxqalefTz1mhgwW+Q== X-YMail-OSG: F7baoloVM1myCEmdL_WD7WuXjeZG2.XiWJX03AbeYUwZR2GJ.FnhMscFwX94jmL mYN8X0Ztj1RMSrL.2.P4SeEQ_qY28k_Xr0AEWCgBjbDABNEMLayDn6X63YFFtgwmRV79l9xK3iK4 x7GmJxA8a9CkyhPJ8m1kFKdWGDAX49UU3PWVqDmKFDXxzSTe2kESv0VcnBeIsT2BzJ79G3cml7wC Vo_prc5IHycmMR9rtWMrJCHYc_Z0cM32gyehTQIh7CeRPoWiSHiEiQS0wx6b71bq6zQFv4p572fc IPNXpwMYW0Imks.hrfUKUs8hNon71J_z8LxsNJDLhYKyZcbM3tRkWNslhWXErEy1bjk8sgantDuV bTeVeJCVZjRDucn9NSZtxt3yyFjUkZSGkZKdP0brI81vpGKaBhngT36HTwvHmz.OE.zza49ngv.N uLt8BLqiOTH679Irx9wut1dyJt7PV1enCmlO4nt9XCMP5xp7aB3wO6k_iF6wryNf0rgAKBY1DZwl eg1dN0IhIU7l7nO7ay1E- Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.bf2.yahoo.com with HTTP; Sat, 3 Feb 2018 19:05:28 +0000 Received: from smtp105.rhel.mail.bf1.yahoo.com (EHLO [192.168.0.104]) ([98.139.231.38]) by smtp408.mail.bf1.yahoo.com (JAMES SMTP Server ) with ESMTPA ID 473c9e1dd75d00ccb0d69b913e3e4791; Sat, 03 Feb 2018 19:05:27 +0000 (UTC) Subject: Re: RFC(V3): Audit Kernel Container IDs To: Paul Moore , Simo Sorce Cc: mszeredi@redhat.com, "Eric W. Biederman" , jlayton@redhat.com, Richard Guy Briggs , Linux API , Linux Containers , Linux Kernel , Eric Paris , David Howells , Carlos O'Donell , Linux Audit , Al Viro , Andy Lutomirski , cgroups@vger.kernel.org, Linux FS Devel , trondmy@primarydata.com, Linux Network Development , "Serge E. Hallyn" References: <20180109121620.wi7dq2423ugsraqv@madcap2.tricolour.ca> <1515514736.3239.10.camel@redhat.com> <20180110070011.l4rcdcwb27witfem@madcap2.tricolour.ca> <1517609946.13097.161.camel@redhat.com> From: Casey Schaufler Message-ID: Date: Sat, 3 Feb 2018 11:05:22 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/2/2018 3:24 PM, Paul Moore wrote: > On Fri, Feb 2, 2018 at 5:19 PM, Simo Sorce wrote: >> On Fri, 2018-02-02 at 16:24 -0500, Paul Moore wrote: >>> On Wed, Jan 10, 2018 at 2:00 AM, Richard Guy Briggs wrote: >>>> On 2018-01-09 11:18, Simo Sorce wrote: >>>>> On Tue, 2018-01-09 at 07:16 -0500, Richard Guy Briggs wrote: > .. > >>>> Paul, can you justify this somewhat larger inconvenience for some >>>> relatively minor convenience on our part? >>> Done in direct response to Simo. >> Sorry but your response sounds more like waving away then addressing >> them, the excuse being: we can't please everyone, so we are going to >> please no one. > I obviously disagree with the take on my comments but you're free to > your opinion. > > I believe saying we are pleasing no one isn't really fair now is it? > Is there any type of audit container ID now? How would you go about > associating audit events with containers now? (spoiler alert: it ain't > pretty, and there are gaps I don't believe you can cover) This > proposal provides a mechanism to do this in a way that isn't tied to > any one particular concept of a container and is manageable inside the > kernel. > > If you have a need to track audit events for containers, I find it > extremely hard to believe that you are not at least partially pleased > by the solutions presented here. It may not be everything on your > wishlist, but when did you ever get *everything* on your wishlist? I am going to back Paul 100% on this point. The container community's emphatic position that containers are strictly a user-space construct makes it impossible for the kernel to provide any data more sophisticated than an integer, and any processing based on that data cleverer than a check for equality. >>> But to be clear Richard, we've talked about this a few times, it's not >>> a "minor convenience" on our part, it's a pretty big convenience once >>> we starting having to route audit events and make decisions based on >>> the audit container ID information. Audit performance is less than >>> awesome now, I'm working hard to not make it worse. >> Sounds like a security vs performance trade off to me. Without the kernel having a "container" policy to work with there is no "security" it can possibly enforce. > Welcome to software development. It's generally a pretty terrible > hobby and/or occupation, but we make up for it with long hours and > endless frustration. > >>>> u64 vs u128 is easy for us to >>>> accomodate in terms of scalar comparisons. It doubles the information >>>> in every container id field we print in audit records. >>> ... and slows down audit container ID checks. >> Are you saying a cmp on a u128 is slower than a comparison on a u64 and >> this is something that will be noticeable ? > Do you have a 128 bit system? I don't. I've got a bunch of 64 bit > systems, and a couple of 32 bit systems too. People that use audit > have a tendency to really hammer on it, to the point that we get > performance complaints on a not infrequent basis. I don't know the > exact number of times we are going to need to check the audit > container ID, but it's reasonable to think that we'll expose it as a > filter-able field which adds a few checks, we'll use it for record > routing so that's a few more, and if we're running multiple audit > daemons we will probably want to include LSM checks which could result > in a few more audit container ID checks. If it was one comparison I > wouldn't be too worried about it, but the point I'm trying to make is > that we don't know what the implementation is going to look like yet > and I suspect this ID is going to be leveraged in several places in > the audit subsystem and I would much rather start small to save > headaches later. > > We can always expand the ID to a larger integer at a later date, but > we can't make it smaller. > >>>> A c36 is a bigger step. >>> Yeah, we're not doing that, no way. >> Ok, I can see your point though I do not agree with it. >> >> I can see why you do not want to have arbitrary length strings, but a >> u128 sounded like a reasonable compromise to me as it has enough room >> to be able to have unique cluster-wide IDs which a u64 definitely makes >> a lot harder to provide w/o tight coordination. > I originally wanted it to be a 32-bit integer, but Richard managed to > talk me into 64-bits, that was my compromise :) > > As I said earlier, if you are doing container auditing you're going to > need coordination with the orchestrator, regardless of the audit > container ID size. >