Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp6487042ybi; Wed, 29 May 2019 08:30:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqxgWeDTpTnNENehzOBh8h4VXR+u76bGPLsdpqXvfLn4FRUfj3QJEyaYezOLniFCzTJ6x44T X-Received: by 2002:a17:90a:aa81:: with SMTP id l1mr12504516pjq.55.1559143856711; Wed, 29 May 2019 08:30:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559143856; cv=none; d=google.com; s=arc-20160816; b=D8vgaDJJrEZurt8R8nQL26Gsfv8pfWwGibJRl70EGakZy76JQsn4jfr5+lTK+czEi7 iAxI5fgDQkP6faHb7eB5qXiIDyzUykPrvgcjiV/edXWQjz/vTxpoRv+ASxjTEHfddNOq OMdTWtXB2WgsNMRF9cGIdwjLjtRI170873yv1ybjuSl6mrczH9n31gMOH9g04L6LRSah 7I3NPlOGqXKQ+SGphwWusqazXAVZgVkhCsaLg++Uo2zL2oqqSPGvioHvcbprnob/EhAg KjK2W6z/pQKjzZl+yZSV+pxskS7QtoxgTtInwzK6aEpOAcE1SKRQrqtIQrgeDjSpr3d7 8t0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zGaoYWpZqQThaCeamoLFUvuaep53rUnIcLcyCp5w/vg=; b=rB8TuCbsMNnaIfyRmuK3IG+c0vZgf7Cb7RIdjBHntVZsY7pJCCeCx0GO6s+cSuC4PI lU4+3vDiZugFbjEoBeYe8/alAxwmKk9vq64oBDrz0+3eLvXkVRZuq319W8taDRISuPRq m7mPOttVYCxVqHPzdFjRMW+oLKEy7MI+4ESi8N4Up89nl5rvLCoeJSFzM4A7VP7j2VOk K7YiwUR8Cj+6coFEZv6rpXgNtYDxKB/de6z+xTnGM3A/ty8sU5qEt7w2dA3lRDKVMApa PrxoJ/ff8CxCuDcAMe113sNpo95DfOW8M/HIS1BLUDqy1MVRLat5ZqD/m0Za9+4qUgkk nK5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=K16i45JT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h9si3795721pgq.539.2019.05.29.08.30.36; Wed, 29 May 2019 08:30:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=K16i45JT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726062AbfE2P3U (ORCPT + 99 others); Wed, 29 May 2019 11:29:20 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:35246 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726162AbfE2P3T (ORCPT ); Wed, 29 May 2019 11:29:19 -0400 Received: by mail-lj1-f193.google.com with SMTP id h11so2933956ljb.2 for ; Wed, 29 May 2019 08:29:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zGaoYWpZqQThaCeamoLFUvuaep53rUnIcLcyCp5w/vg=; b=K16i45JTnOhNMfVGcEM3dEc/HE4jxUF98k+I1d4LAg3DOuRJvQylZri7olnMGkge0H 4u/1DHCKb96WcllkEwg/MgRcL7L1CCWB/hO2xL6zPqW540FOdvpqq8ULGBnZRtoyr3fP /dGrfil607dUvRtiW7bu8V4ywrGKbWRLqU6mf6azB7C8mCUui5dBAoSANEn7un7OuRYk IqepsvKsbnqV/1oKEERjHclI3LARwVOrafGfm/8g8m245GMvIADoi+bQuHeE9itYkX84 p6l1akwBNRSzQLd+wftooHrEfiVN9zwWBxGF+rHhkqPeWkDXyPffgp3T4WNSYiCr0lTu +NzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zGaoYWpZqQThaCeamoLFUvuaep53rUnIcLcyCp5w/vg=; b=Sf7mZnWOfQTmVx87QrZz3SwM/qG223Ad0AwZ0GhuabnEqOxZsabKUwYpTV1CR0Oo7A GkP7tXAANEsVNS1XrijdQhrX+soWtJL2JY/EaZ6PRt9t0Ba0amoqpD628pe4D/K7MuIp 2DnSx0d3WK1E2SgrRO8SUGRRcPxwhLW7SwX/VipN4U5+jsaP8iB+fLBfhhduk1jJ17sD 0vJBUNzi+u07NoCNdtuDWksIGYjMxiHU7X6s2ERhZVjAyuN2DoaVGVbSGEl8E2tuXzyp Oxt7k553NUXkX4w28tbv2tXRILkM9TxtSaljFmCyNvB9zv8jwV5xwul3k59FDsqaHEDf 6AzA== X-Gm-Message-State: APjAAAUPLoQj254HHdkhdwmX9fDyrrZ4PUyRVGApOgFvKPWUXsPQYF8y lHXi0+cURAlkh7Yl/nJ8O+nxLDlo+tKCw1BTOfGO X-Received: by 2002:a2e:92cc:: with SMTP id k12mr2501807ljh.16.1559143756865; Wed, 29 May 2019 08:29:16 -0700 (PDT) MIME-Version: 1.0 References: <9edad39c40671fb53f28d76862304cc2647029c6.1554732921.git.rgb@redhat.com> <20190529145742.GA8959@cisco> In-Reply-To: <20190529145742.GA8959@cisco> From: Paul Moore Date: Wed, 29 May 2019 11:29:05 -0400 Message-ID: Subject: Re: [PATCH ghak90 V6 02/10] audit: add container id To: Tycho Andersen Cc: Richard Guy Briggs , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 29, 2019 at 10:57 AM Tycho Andersen wrote: > > On Mon, Apr 08, 2019 at 11:39:09PM -0400, Richard Guy Briggs wrote: > > It is not permitted to unset the audit container identifier. > > A child inherits its parent's audit container identifier. > > ... > > > /** > > + * audit_set_contid - set current task's audit contid > > + * @contid: contid value > > + * > > + * Returns 0 on success, -EPERM on permission failure. > > + * > > + * Called (set) from fs/proc/base.c::proc_contid_write(). > > + */ > > +int audit_set_contid(struct task_struct *task, u64 contid) > > +{ > > + u64 oldcontid; > > + int rc = 0; > > + struct audit_buffer *ab; > > + uid_t uid; > > + struct tty_struct *tty; > > + char comm[sizeof(current->comm)]; > > + > > + task_lock(task); > > + /* Can't set if audit disabled */ > > + if (!task->audit) { > > + task_unlock(task); > > + return -ENOPROTOOPT; > > + } > > + oldcontid = audit_get_contid(task); > > + read_lock(&tasklist_lock); > > + /* Don't allow the audit containerid to be unset */ > > + if (!audit_contid_valid(contid)) > > + rc = -EINVAL; > > + /* if we don't have caps, reject */ > > + else if (!capable(CAP_AUDIT_CONTROL)) > > + rc = -EPERM; > > + /* if task has children or is not single-threaded, deny */ > > + else if (!list_empty(&task->children)) > > + rc = -EBUSY; > > + else if (!(thread_group_leader(task) && thread_group_empty(task))) > > + rc = -EALREADY; > > + read_unlock(&tasklist_lock); > > + if (!rc) > > + task->audit->contid = contid; > > + task_unlock(task); > > + > > + if (!audit_enabled) > > + return rc; > > ...but it is allowed to change it (assuming > capable(CAP_AUDIT_CONTROL), of course)? Seems like this might be more > immediately useful since we still live in the world of majority > privileged containers if we didn't allow changing it, in addition to > un-setting it. The idea is that only container orchestrators should be able to set/modify the audit container ID, and since setting the audit container ID can have a significant effect on the records captured (and their routing to multiple daemons when we get there) modifying the audit container ID is akin to modifying the audit configuration which is why it is gated by CAP_AUDIT_CONTROL. The current thinking is that you would only change the audit container ID from one set/inherited value to another if you were nesting containers, in which case the nested container orchestrator would need to be granted CAP_AUDIT_CONTROL (which everyone to date seems to agree is a workable compromise). We did consider allowing for a chain of nested audit container IDs, but the implications of doing so are significant (implementation mess, runtime cost, etc.) so we are leaving that out of this effort. From a practical perspective, un-setting the audit container ID is pretty much the same as changing it from one set value to another so most of the above applies to that case as well. -- paul moore www.paul-moore.com