Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2806185ybi; Thu, 18 Jul 2019 14:53:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqwFgqdROW8W80MFg9B27jpj7EGYtVKA7Pr5KGR+zC7eRQcYgUSe1H7yHLtH6miTzTYp/vPG X-Received: by 2002:a63:c006:: with SMTP id h6mr16560091pgg.290.1563486837025; Thu, 18 Jul 2019 14:53:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563486837; cv=none; d=google.com; s=arc-20160816; b=sehzG5RdRLPBvlwFTlUuhVDHVXNku83sgh+sAhjZgU6cNJRu9Q0bTxbjrIx2xvTsFH K8ShFxhKOuCBx9mSSvSkDB2Y/dXdDpM+N5j2GgCbMF6YqO4z31q87EYANHQa4KKRJXQS UTqW6B6G1X5N+z78Ct1VP8/JJ+dl/8AmcjuOBay39lIdQpcNHvLVKjXDB7ht6K7F6vLZ C6yn4XhYzZxKAESPZym9gpUO/koG8QgkoDj6weD3yVjI9OPhEQwIbnnPoyMMWtTOgfDH uEOPWE5TwjKebiJc0k+NxwGZEcIsNmjYiTr35LqqI8FUPRaw1TbidHi0rGAw9FVPNUQz GuVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=RhzTrt+KngzjicFbTv3vZ6r7DsUfT24hW3ZTH7kCo04=; b=UVSO3EUJHNirOuEFy2CT8og/wTB30n1gPsb50+e5/wKWWajkUiOGKyGzOmQRb2X6OW leBQEtjvJlM0w5+FmidrnRZRm8P45lecFth0JI+pyrEpHIMCJaa5Uax0xJTMuIroEZt9 +duUkncScOzCX6rgSWENRl7gfm6CHJs9w9qLYCwdgmI21wg6C8daVqLAPCsegleMXgbU sF+ZuqCllWfyOnbrL4G7JOppt60FWiiyTdWWuSA19h4pQS/TJ3U1U5goumEOx5Kkfp30 iiOsT0l5kSGAcu0toTLKnjGkOLqrRtMMDOyQJO3Hvu/nP4SCfw3BbIhbVpPsjHSdeLwL 30Ig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BDDC63Ab; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t15si2688526pjr.46.2019.07.18.14.53.41; Thu, 18 Jul 2019 14:53:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BDDC63Ab; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391508AbfGRVxM (ORCPT + 99 others); Thu, 18 Jul 2019 17:53:12 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:38801 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727781AbfGRVxM (ORCPT ); Thu, 18 Jul 2019 17:53:12 -0400 Received: by mail-lf1-f65.google.com with SMTP id h28so20273163lfj.5 for ; Thu, 18 Jul 2019 14:53:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RhzTrt+KngzjicFbTv3vZ6r7DsUfT24hW3ZTH7kCo04=; b=BDDC63AbbksIGaPLCaZ+G2vZ+QlUC0Y4xmaYnnx1w9Sn0c/YSKCOyE3F3bipx/OPNo bY+GCUelVN9YgKRNdiGTQc7e9dxHE8srVeTFP4z3kHDTgyTHdIJxEgeYAGwEg5uRlCR4 SJCBe/KsTQXTy1ZbjaHtMM7hkizkZLcw0c9zfxcr0RvysIbU+uTnupNfETlIA5tdojdb eaHLpJsvTbxt6FmfE6Rqf0hRmvzcJp0R71+FTYwBZjMbwYRjqxFe4jlSYdDpAlcz6a+v gHInJ6oZUdBaKuk2fyjd8yd5aDlkZ2MjSHc//o4Z3Oextu3SQoPtQvrnS0hkfu0OOV0b pBqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RhzTrt+KngzjicFbTv3vZ6r7DsUfT24hW3ZTH7kCo04=; b=ukxzlmXkhb/CllpwSD61nIvdGc9cNy78JoOtvwQSSk1l7PVvG2xs+VC+7yLUEgrK8P lFSqXRgmhPPwqbHpn45RgZKi8n/UwzvT79p9yEvkGOQ9nTCvqYgAKIgJIJsAWk86M5uh Bxcc+9ZMhd8Ea948jLK7WCv2HNnHiBVNVU9oLk+aSPKcdlAFQveNe+KCNFCKAsYDAHck UsQzAORm8Law6shk2Pj5wfuk3QyFrfMcuBIiyTSZaFQq2P9JyyONO6VJVdppYrc3pJlD F73d6NIB0gKZRIpufsZu37B1m+RnvuxGbqnFHTo7CMuEDzQ9nKwn5YdI/UUxPMvwigl0 QYTQ== X-Gm-Message-State: APjAAAXolm3MDfFmZt98gyCvRtR0W+J5anDxDgq17K875W3aCkToG3i3 sHqI4wUFuJ3Lpr0lvZ/E2XuT9SjpASTpsRBUBw== X-Received: by 2002:a19:8093:: with SMTP id b141mr22767615lfd.137.1563486789899; Thu, 18 Jul 2019 14:53:09 -0700 (PDT) MIME-Version: 1.0 References: <20190529153427.GB8959@cisco> <20190529222835.GD8959@cisco> <20190530170913.GA16722@mail.hallyn.com> <20190708180558.5bar6ripag3sdadl@madcap2.tricolour.ca> <20190716220320.sotbfqplgdructg7@madcap2.tricolour.ca> <20190718005145.eshekqfr3navqqiy@madcap2.tricolour.ca> In-Reply-To: <20190718005145.eshekqfr3navqqiy@madcap2.tricolour.ca> From: Paul Moore Date: Thu, 18 Jul 2019 17:52:58 -0400 Message-ID: Subject: Re: [PATCH ghak90 V6 02/10] audit: add container id To: Richard Guy Briggs Cc: "Serge E. Hallyn" , Tycho Andersen , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , ebiederm@xmission.com, nhorman@tuxdriver.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 17, 2019 at 8:52 PM Richard Guy Briggs wrote: > On 2019-07-16 19:30, Paul Moore wrote: ... > > We can trust capable(CAP_AUDIT_CONTROL) for enforcing audit container > > ID policy, we can not trust ns_capable(CAP_AUDIT_CONTROL). > > Ok. So does a process in a non-init user namespace have two (or more) > sets of capabilities stored in creds, one in the init_user_ns, and one > in current_user_ns? Or does it get stripped of all its capabilities in > init_user_ns once it has its own set in current_user_ns? If the former, > then we can use capable(). If the latter, we need another mechanism, as > you have suggested might be needed. Unfortunately I think the problem is that ultimately we need to allow any container orchestrator that has been given privileges to manage the audit container ID to also grant that privilege to any of the child process/containers it manages. I don't believe we can do that with capabilities based on the code I've looked at, and the discussions I've had, but if you find a way I would leave to hear it. > If some random unprivileged user wants to fire up a container > orchestrator/engine in his own user namespace, then audit needs to be > namespaced. Can we safely discard this scenario for now? I think the only time we want to allow a container orchestrator to manage the audit container ID is if it has been granted that privilege by someone who has that privilege already. In the zero-container, or single-level of containers, case this is relatively easy, and we can accomplish it using CAP_AUDIT_CONTROL as the privilege. If we start nesting container orchestrators it becomes more complicated as we need to be able to support granting and inheriting this privilege in a manner; this is why I suggested a new mechanism *may* be necessary. -- paul moore www.paul-moore.com