Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1156266ybi; Thu, 30 May 2019 12:31:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqytAcL8GlZIOUhWlDBdFEguVu8BB+ScUwNdh+DUN6pmG8BDbYmb69gIaRFVcA8LE8i9cPZu X-Received: by 2002:a17:902:2be8:: with SMTP id l95mr4845542plb.231.1559244676784; Thu, 30 May 2019 12:31:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559244676; cv=none; d=google.com; s=arc-20160816; b=SOvx//niHChxBUWSGVaUdXjVX79Y4BkTUU09VK3n/rMnw1nCGBdRXBsNg+fYeT26xg 5j7DSFK6gDE7aQicY2W3eNUq4Zgqs010kgZFmoQ9suZpx+7mbAoYQ+7wInlwRq9XpGff W5CYm3sHeLhSi/nMdMQXfPNdp/pJdFN6ooxbxj2pH+pvD8/BQGkelUHMAB30jg258/FM JCO2ZdXtCQpFSbVosm792JDZuAgl4u13e/8te1aAv1hSt632XdjSOj/x/TTEazx44BGd MrhyiP8kbl20jWug3mSaXImLbCwn1o2KbjvOA2VSpdmizV9+1gXtdl+HSQzrj59loLHq wW1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=iVk/NFNgHVBFx7MhewVcDHKeuh0/y8uv27n+wctjBBw=; b=eAkc9NSE/l9XDKDFAy/RPaLMTl/KzBMkSF2+8gTY5dOwelVoMBfLFZKQo2QvbUalFG s0Et/llp2v6/qPHGocuusXCCjE5xzHZXHWh3QZt2ToOYiVfm3ZD0M+Ux295+zLitRIVp eVvmyNamE6zeH9f5BOlClpo9Lfs/uUzD5Z8ALdOxQw3vCLHtm1EECLqpQt4rhHdBC6D5 kGZMH7jrUeb2HnSZ1nO2bBDsbEBlpBYxNhyJN960vQLfk1VJhQfjVdPFXycZqjZuUOqs cEAp3rI/E+VahKoudroOAWFkYp7sqAQCPFfiukJxVfCWZvNfwzBQFUwOvUoRGBwCB2Nb HxQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=iUJd3oa1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j2si3745865pgh.192.2019.05.30.12.31.00; Thu, 30 May 2019 12:31:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=iUJd3oa1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726541AbfE3T3s (ORCPT + 99 others); Thu, 30 May 2019 15:29:48 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:39199 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725897AbfE3T3s (ORCPT ); Thu, 30 May 2019 15:29:48 -0400 Received: by mail-lj1-f194.google.com with SMTP id a10so3987219ljf.6 for ; Thu, 30 May 2019 12:29:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iVk/NFNgHVBFx7MhewVcDHKeuh0/y8uv27n+wctjBBw=; b=iUJd3oa19CugyfCed6zmPxPNuarTP/1imCFXfhjAKXmDQBo5jZe7ZBR5RJOq+hx6br tfQzOOPQSqboRyGxFLT3oSfQ+JEgq29U2q60jo8Rr2CFQTVVxATpRL8XEc0KJdCPnkC0 SbiJiRSFkAq8oO5wi8mEi96cPVRUr9w8MIZ/OWqOCcFnsB6CPb5tpIu+P0Ghso3X245/ NCySiboUIcKL8ug8JS2mDcOFFPLquJEQpPTys/6K9z3FovVwTZAdFmLqlzNlKDrXytw1 cQv+DRz6iJnKKRbUgD8k65be4+HNaacB+tw7zitbPLmamQffqA0s+u7+l5fj7cD+yxkk BtIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iVk/NFNgHVBFx7MhewVcDHKeuh0/y8uv27n+wctjBBw=; b=WrWCdVbKFP6KuWrJPB5IL3Buj4/qINsUjksdNNavDUkd19q4OlopJcL2BAuv4iEdgm qxsPP6ZBIKKlxy9tRpCseDKJKCcPG09WuaFzKkT/NgvOd9efivuIEhvMfdaBQ1viuE0z pAl94aRpHIhNqoReCpa0MmSMUZruOQMGPKe6rs+iTI17ZNT9fXxpJ8iNCPl5AWsOWJ4z eEPd/6GMYqhk0F1qromUiv8f/uBzQWu7pP9+AW3QYodk0WrxN42CkVxJ1RUjbiHV1zwh M1CFZjza8spBV8BvJG4Y42AHXTybjvtVzKm5A0lbaeicpLxqD6AmWjueVumVp65y1K1d iEHw== X-Gm-Message-State: APjAAAXsr4FT070bDGKqiCCwB6+2e/MWPiLx4+EN7ujIdYLodS9YQKez FLp/rqHVXGERGkfGGaln0qZTfPrKAMHULyK8sd7+ X-Received: by 2002:a2e:9bc5:: with SMTP id w5mr3279775ljj.87.1559244585165; Thu, 30 May 2019 12:29:45 -0700 (PDT) MIME-Version: 1.0 References: <9edad39c40671fb53f28d76862304cc2647029c6.1554732921.git.rgb@redhat.com> <20190529145742.GA8959@cisco> <20190529153427.GB8959@cisco> <20190529222835.GD8959@cisco> <20190530170913.GA16722@mail.hallyn.com> In-Reply-To: <20190530170913.GA16722@mail.hallyn.com> From: Paul Moore Date: Thu, 30 May 2019 15:29:32 -0400 Message-ID: Subject: Re: [PATCH ghak90 V6 02/10] audit: add container id To: "Serge E. Hallyn" Cc: Tycho Andersen , Richard Guy Briggs , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , ebiederm@xmission.com, nhorman@tuxdriver.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 30, 2019 at 1:09 PM Serge E. Hallyn wrote: > On Wed, May 29, 2019 at 06:39:48PM -0400, Paul Moore wrote: > > On Wed, May 29, 2019 at 6:28 PM Tycho Andersen wrote: > > > On Wed, May 29, 2019 at 12:03:58PM -0400, Paul Moore wrote: > > > > On Wed, May 29, 2019 at 11:34 AM Tycho Andersen wrote: > > > > > On Wed, May 29, 2019 at 11:29:05AM -0400, Paul Moore wrote: > > > > > > On Wed, May 29, 2019 at 10:57 AM Tycho Andersen wrote: > > > > > > > On Mon, Apr 08, 2019 at 11:39:09PM -0400, Richard Guy Briggs wrote: ... > > > > > > The current thinking > > > > > > is that you would only change the audit container ID from one > > > > > > set/inherited value to another if you were nesting containers, in > > > > > > which case the nested container orchestrator would need to be granted > > > > > > CAP_AUDIT_CONTROL (which everyone to date seems to agree is a workable > > > > > > compromise). > > > > > > won't work in user namespaced containers, because they will never be > > > capable(CAP_AUDIT_CONTROL); so I don't think this will work for > > > nesting as is. But maybe nobody cares :) > > > > That's fun :) > > > > To be honest, I've never been a big fan of supporting nested > > containers from an audit perspective, so I'm not really too upset > > about this. The k8s/cri-o folks seem okay with this, or at least I > > haven't heard any objections; lxc folks, what do you have to say? > > I actually thought the answer to this (when last I looked, "some time" ago) > was that userspace should track an audit message saying "task X in > container Y is changing its auditid to Z", and then decide to also track Z. > This should be doable, but a lot of extra work in userspace. > > Per-userns containerids would also work. So task X1 is in containerid > 1 on the host and creates a new task Y in new userns; it continues to > be reported in init_user_ns as containerid 1 forever; but in its own > userns it can request to be known as some other containerid. Audit > socks would be per-userns, allowing root in a container to watch for > audit events in its own (and descendent) namespaces. > > But again I'm sure we've gone over all this in the last few years. > > I suppose we can look at this as a "first step", and talk about > making it user-ns-nestable later. But agreed it's not useful in a > lot of situations as is. [REMINDER: It is an "*audit* container ID" and not a general "container ID" ;) Smiley aside, I'm not kidding about that part.] I'm not interested in supporting/merging something that isn't useful; if this doesn't work for your use case then we need to figure out what would work. It sounds like nested containers are much more common in the lxc world, can you elaborate a bit more on this? As far as the possible solutions you mention above, I'm not sure I like the per-userns audit container IDs, I'd much rather just emit the necessary tracking information via the audit record stream and let the log analysis tools figure it out. However, the bigger question is how to limit (re)setting the audit container ID when you are in a non-init userns. For reasons already mentioned, using capable() is a non starter for everything but the initial userns, and using ns_capable() is equally poor as it essentially allows any userns the ability to munge it's audit container ID (obviously not good). It appears we need a different method for controlling access to the audit container ID. Punting this to a LSM hook is an obvious thing to do, and something we might want to do anyway, but currently audit doesn't rely on the LSM for proper/safe operation and I'm not sure I want to change that now. The next obvious thing is to create some sort of access control knob in audit itself. Perhaps an auditctl operation that would allow the administrator to specify which containers, via their corresponding audit container IDs, are allowed to change their audit container ID? The permission granting would need to be done in the init userns, but it would allow containers with a non-init userns the ability to change their audit container ID. We would probably still want a ns_capable(CAP_AUDIT_CONTROL) restriction in this case. Does anyone else have any other ideas? -- paul moore www.paul-moore.com