Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp4015483ybg; Fri, 25 Oct 2019 12:07:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqyDDbyO7d4qEdsZQM4k1kjxtDAqMVTNJlEnhdyeUqWaNmMt3aMHAn8vqWdL532sB+TCZWCx X-Received: by 2002:a50:f699:: with SMTP id d25mr5677005edn.72.1572030454586; Fri, 25 Oct 2019 12:07:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572030454; cv=none; d=google.com; s=arc-20160816; b=uuulIbZjr/KRe3stM4tVVIwLfzjTIC8NK2rBN1e2itTnUTnT2udRy8GPo37CieFUsu ecvh7ki0eeFt/vOmYLzqkhQmo9px27Q7uoVmkdtc7KHIhg3ATx9KWSFPk3kVtiZZ9cMS Ifk5kvtgFt1BynWxADEOisgsNzDbTQie9Hm15xRhHjw5YoSJ/CimnnZHNA5qmf3GTsia QcbNXse5O/65qjOq8eMHQqKWiJtfOfEjFuw7R9cJe61kYyxDSdE44kTffkS1Sjfb2i/+ Tqy21df8fWZDz2YXDmrEhcQJjQ/GWUqEdl/Wsuamdu2NLHc8znD1r10pSRoFmtpDmnLV Hg5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition :content-transfer-encoding:user-agent:in-reply-to:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=GgY+L++T6fpJSopTrMw0dsTEhyeu/WpiaitEu4tmWhw=; b=MV9ALjmFeuLbotQFzFvZtsAWe6iEqFcwjS+iT2FR0tvSPIMU+O07RcPBWEIQu8zRKz +nxtPRHk/Vtv+zKpuzBRwAGCgNMKua4W/rKM+WR0HV8NQy876WYMXCc96CCZHOwSZqbP cPeHNHxd0Qstiyf3VFWwnzpV5F92s1uUApsFZ6PdWf2QX4loD8mtJn4MCQ7cQyXMLTls 1vLKbL3luoLxzd6Y0kMsIDOdH+CWoYli3Q84fO/oQFL0pHBLUVMuCzTm/vC9MOHrZ6Fl jeHHQGDq+Bh0fw/nKedXuo5x+OhTJyf5KwYC5z68EMs9DbBV8qxB660nmUstc3Dy6fIO 4nHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=L9YrzbzJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n9si1774061ejk.158.2019.10.25.12.07.11; Fri, 25 Oct 2019 12:07:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=L9YrzbzJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728872AbfJXVAf (ORCPT + 99 others); Thu, 24 Oct 2019 17:00:35 -0400 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:57443 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728843AbfJXVAf (ORCPT ); Thu, 24 Oct 2019 17:00:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1571950833; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GgY+L++T6fpJSopTrMw0dsTEhyeu/WpiaitEu4tmWhw=; b=L9YrzbzJhrgcvdali+72T7UI0QY7923kSZwlmNd+Yvxqi7tGenbJdsIKZsEMSuhrp2ntN1 aLTgI3aIvqSc4VRu+nDfSyKjMe3XazmeWqED7NNwenSwiy4IBLEPqQ9DWhbFwhCrNpxiz9 zywik8YF7Y3Pdw2kb1+dZVz4pMTXnrg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-32-qDsje3gUNTiPfjVo7yiuHA-1; Thu, 24 Oct 2019 17:00:29 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DA51880183E; Thu, 24 Oct 2019 21:00:27 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-19.phx2.redhat.com [10.3.112.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4F67D6012E; Thu, 24 Oct 2019 21:00:13 +0000 (UTC) Date: Thu, 24 Oct 2019 17:00:10 -0400 From: Richard Guy Briggs To: Paul Moore Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Subject: Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns Message-ID: <20191024210010.owwgc3bqbvtdsqws@madcap2.tricolour.ca> References: <214163d11a75126f610bcedfad67a4d89575dc77.1568834525.git.rgb@redhat.com> <20191019013904.uevmrzbmztsbhpnh@madcap2.tricolour.ca> <20191021213824.6zti5ndxu7sqs772@madcap2.tricolour.ca> <20191021235734.mgcjotdqoe73e4ha@madcap2.tricolour.ca> MIME-Version: 1.0 In-Reply-To: User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-MC-Unique: qDsje3gUNTiPfjVo7yiuHA-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019-10-21 20:31, Paul Moore wrote: > On Mon, Oct 21, 2019 at 7:58 PM Richard Guy Briggs wrote= : > > On 2019-10-21 17:43, Paul Moore wrote: > > > On Mon, Oct 21, 2019 at 5:38 PM Richard Guy Briggs w= rote: > > > > On 2019-10-21 15:53, Paul Moore wrote: > > > > > On Fri, Oct 18, 2019 at 9:39 PM Richard Guy Briggs wrote: > > > > > > On 2019-09-18 21:22, Richard Guy Briggs wrote: > > > > > > > Provide a mechanism similar to CAP_AUDIT_CONTROL to explicitl= y give a > > > > > > > process in a non-init user namespace the capability to set au= dit > > > > > > > container identifiers. > > > > > > > > > > > > > > Use audit netlink message types AUDIT_GET_CAPCONTID 1027 and > > > > > > > AUDIT_SET_CAPCONTID 1028. The message format includes the da= ta > > > > > > > structure: > > > > > > > struct audit_capcontid_status { > > > > > > > pid_t pid; > > > > > > > u32 enable; > > > > > > > }; > > > > > > > > > > > > Paul, can I get a review of the general idea here to see if you= 're ok > > > > > > with this way of effectively extending CAP_AUDIT_CONTROL for th= e sake of > > > > > > setting contid from beyond the init user namespace where capabl= e() can't > > > > > > reach and ns_capable() is meaningless for these purposes? > > > > > > > > > > I think my previous comment about having both the procfs and netl= ink > > > > > interfaces apply here. I don't see why we need two different API= s at > > > > > the start; explain to me why procfs isn't sufficient. If the arg= ument > > > > > is simply the desire to avoid mounting procfs in the container, h= ow > > > > > many container orchestrators can function today without a valid /= proc? > > > > > > > > Ok, sorry, I meant to address that question from a previous patch > > > > comment at the same time. > > > > > > > > It was raised by Eric Biederman that the proc filesystem interface = for > > > > audit had its limitations and he had suggested an audit netlink > > > > interface made more sense. > > > > > > I'm sure you've got it handy, so I'm going to be lazy and ask: archiv= e > > > pointer to Eric's comments? Just a heads-up, I'm really *not* a fan > > > of using the netlink interface for this, so unless Eric presents a > > > super compelling reason for why we shouldn't use procfs I'm inclined > > > to stick with /proc. > > > > It was actually a video call with Eric and Steve where that was > > recommended, so I can't provide you with any first-hand communication > > about it. I'll get more details... >=20 > Yeah, that sort of information really needs to be on the list. Here's the note I had from that meeting: - Eric raised the issue that using /proc is likely to get more and more hoary due to mount namespaces and suggested that we use a netlink audit message (or a new syscall) to set the audit container identifier and since the loginuid is a similar type of operation, that it should be migrated over to a similar mechanism to get it away from /proc. Get could be done with a netlink audit message that triggers an audit log message to deliver the information. I'm reluctant to further pollute the syscall space if we can find another method. The netlink audit message makes sense since any audit-enabled service is likely to already have an audit socket open. I don't have more detailed notes about what Eric said specifically. > > So, with that out of the way, could you please comment on the general > > idea of what was intended to be the central idea of this mechanism to b= e > > able to nest containers beyond the initial user namespace (knowing that > > a /proc interface is available and the audit netlink interface isn't > > necessary for it to work and the latter can be easily removed)? >=20 > I'm not entirely clear what you are asking about, are you asking why I > care about nesting container orchestrators? Simply put, it is not > uncommon for the LXC/LXD folks to see nested container orchestrators, > so I felt it was important to support that use case. When we > originally started this effort we probably should have done a better > job reaching out to the LXC/LXD folks, we may have caught this > earlier. Regardless, we caught it, and it looks like we are on our > way to supporting it (that's good). >=20 > Are you asking why I prefer the procfs approach to setting/getting the > audit container ID? For one, it makes it easier for a LSM to enforce > the audit container ID operations independent of the other audit > control APIs. It also provides a simpler interface for container > orchestrators. Both seem like desirable traits as far as I'm > concerned. >=20 > > > > The intent was to switch to the audit netlink interface for contid, > > > > capcontid and to add the audit netlink interface for loginuid and > > > > sessionid while deprecating the proc interface for loginuid and > > > > sessionid. This was alluded to in the cover letter, but not very c= lear, > > > > I'm afraid. I have patches to remove the contid and loginuid/sessi= onid > > > > interfaces in another tree which is why I had forgotten to outline = that > > > > plan more explicitly in the cover letter. >=20 > --=20 > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635