Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4720657ybi; Mon, 15 Jul 2019 13:39:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqw3DPu774Z6keoiowd68vOUl9WP022OjeEC8A1NyknUGhq8s6VhNUXq3Vwf50qmH5LbbCSC X-Received: by 2002:a17:90a:2768:: with SMTP id o95mr31249335pje.37.1563223192658; Mon, 15 Jul 2019 13:39:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563223192; cv=none; d=google.com; s=arc-20160816; b=CHTh5ixOST+QIpymptbTj1pXCwbmfjC9nvwGDTNY0J5U8HpW2Ana46FkLrKbPGpKC5 v4jFKI3jrXFofxxVgVAZjwDh54dvbYoO5+9VSSogSyzKHSYa+xth8wI7LyenueZsVqaK WPy4OOeT6MTyCRTNOG+hueRawUd+fv/4Wp6UhgGL7q7AF47m/2/uFFQBbNYYYGuY8nLO CPSRHDey8eXMrjG22jo3QDTn7ildoxREpRY0WpCAM3/CziL1zrnuCt9JHPWuv+odtei9 ULOH2gtTn7Foie1BRWLf7IUHFYzKFWIgsO2O8sMQl5JutB1wYqIGliFfwTE/Mdszoc8d 8JSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=SPYn0kigh/YyOOP3JdYIDFFrsPtkvgbvu1zMyQDVf3M=; b=TSd0zlZgqo43ORi1yUbteAqSyiItmNAO3jVn3dD9KotmGzjVvZ33Ihu1j4VmAg2YVC On3lb4JERglzagi0pydDVxLdN3g29zzUqONaDhD1fGZYqRG8+YUlzH0nnnC6krPlAyMJ MNudfceqfCyxZ2eCtclDa1n6om4rIoghptB1WBXxFKs4fsUFQs45FXBU6h7IOScMFBnN AR22bwXO3m0m0IR5ni0CZyIrbNKEKaTrUlI7ZC9K+EdPPzwp9dOhLyRVROjbpUTIiDKo H35tEIb9YjaWPJpjYSX+eS6jKgRfkBbykrqvq4gD0lBxgH7+qyHCEjgN1W4SJDHcZ9GB qRcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=b5eOePLK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t15si16447292plo.360.2019.07.15.13.39.27; Mon, 15 Jul 2019 13:39:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=b5eOePLK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732140AbfGOUij (ORCPT + 99 others); Mon, 15 Jul 2019 16:38:39 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:33532 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731449AbfGOUii (ORCPT ); Mon, 15 Jul 2019 16:38:38 -0400 Received: by mail-lj1-f193.google.com with SMTP id h10so17644214ljg.0 for ; Mon, 15 Jul 2019 13:38:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SPYn0kigh/YyOOP3JdYIDFFrsPtkvgbvu1zMyQDVf3M=; b=b5eOePLKODPIzr8swDyYF4AgFldz7V2YABrA3742nAOHLzAo2/ozBZ0RJ8D5vddpk3 sARlE/+axrtAh0KzWih8Ly0xxU5yIYpkYX1vuY4Ipmgobv3qAB/1jGKDo3KylvK7eHSd 4sJcUaNpn2Mo0wTr/tITuzI5VkAFW1+L/TggkgJyTaDX57KahSyYfLsipraO3VrBagKt 5af5hO2j+xukaou6B0ox1R1O0J8iM7BVCBnKA5cz6PdIvdxQIVHl7YCSpLQAA4Z6I3Z2 jiNXl2hfASd4OE8vuNF//VDxwoQHOiejs0XJsKihnYXyCJwArlLVd3jylh7ferlCZnUf 1LIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SPYn0kigh/YyOOP3JdYIDFFrsPtkvgbvu1zMyQDVf3M=; b=EHY3n/E0lYhgrjXeJZP5u3r/r/MPJ8HIm21dFcs+91ydGBWk+pP9F7EDBixIOazulL AaLuTEjoh/fhlaj+rJn1ir+70XbAH2nvf+4ojSkIjrvvXODch+BaX2c2O2wDxcjaCM07 m5dl82GLH9e/gMZXonNHyzYcZfS9yfDJbaPLi4Q5k7jrrnniunbfqlNE8zaLe3o5MMEh Obwna90sjtkInsoc2iiNYeTqzchMx+PuB21YLiXjKJTUYsgnHhjhB+anJMVjmvnubB8X nKTPGI8uPkQQiyeYXv5Y+FrabhRCxOdgewA3mZbpzLWNnbwxpbzSqIlaGXCy2af9tB5K wfuA== X-Gm-Message-State: APjAAAVR6d8lEpN4wt65A2U1r4GwWiLZSh0FB3I7RoP1S/O45M1faEZA nxcX4Ts9lYoG6lz/wzrTmUqW57fAtXVbqCYEgA== X-Received: by 2002:a2e:3604:: with SMTP id d4mr15091488lja.85.1563223116334; Mon, 15 Jul 2019 13:38:36 -0700 (PDT) MIME-Version: 1.0 References: <9edad39c40671fb53f28d76862304cc2647029c6.1554732921.git.rgb@redhat.com> <20190529145742.GA8959@cisco> <20190708175105.7zb6mikjw2wmnwln@madcap2.tricolour.ca> In-Reply-To: <20190708175105.7zb6mikjw2wmnwln@madcap2.tricolour.ca> From: Paul Moore Date: Mon, 15 Jul 2019 16:38:25 -0400 Message-ID: Subject: Re: [PATCH ghak90 V6 02/10] audit: add container id To: Richard Guy Briggs Cc: Tycho Andersen , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 8, 2019 at 1:51 PM Richard Guy Briggs wrote: > On 2019-05-29 11:29, Paul Moore wrote: ... > > The idea is that only container orchestrators should be able to > > set/modify the audit container ID, and since setting the audit > > container ID can have a significant effect on the records captured > > (and their routing to multiple daemons when we get there) modifying > > the audit container ID is akin to modifying the audit configuration > > which is why it is gated by CAP_AUDIT_CONTROL. The current thinking > > is that you would only change the audit container ID from one > > set/inherited value to another if you were nesting containers, in > > which case the nested container orchestrator would need to be granted > > CAP_AUDIT_CONTROL (which everyone to date seems to agree is a workable > > compromise). We did consider allowing for a chain of nested audit > > container IDs, but the implications of doing so are significant > > (implementation mess, runtime cost, etc.) so we are leaving that out > > of this effort. > > We had previously discussed the idea of restricting > orchestrators/engines from only being able to set the audit container > identifier on their own descendants, but it was discarded. I've added a > check to ensure this is now enforced. When we weren't allowing nested orchestrators it wasn't necessary, but with the move to support nesting I believe this will be a requirement. We might also need/want to restrict audit container ID changes if a descendant is acting as a container orchestrator and managing one or more audit container IDs; although I'm less certain of the need for this. > I've also added a check to ensure that a process can't set its own audit > container identifier ... What does this protect against, or what problem does this solve? Considering how easy it is to fork/exec, it seems like this could be trivially bypassed. > ... and that if the identifier is already set, then the > orchestrator/engine must be in a descendant user namespace from the > orchestrator that set the previously inherited audit container > identifier. You lost me here ... although I don't like the idea of relying on X namespace inheritance for a hard coded policy on setting the audit container ID; we've worked hard to keep this independent of any definition of a "container" and it would sadden me greatly if we had to go back on that. -- paul moore www.paul-moore.com