Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp197934ybx; Thu, 31 Oct 2019 18:37:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqys4d9Cdoc8S9kyv4HHfxXOLWlMG1Sadx9CGqcH/sksp0dBZ8K239jkAVw0V7/A8nJqUMdj X-Received: by 2002:a17:906:6844:: with SMTP id a4mr7314108ejs.102.1572572259235; Thu, 31 Oct 2019 18:37:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572572259; cv=none; d=google.com; s=arc-20160816; b=pxCqDbU+FC0/cV8MQYk9IASCxM1iY0BXdqrsXFA5slGSM6YWbydjdCBxV+ANxS5kdC w/0o/WCX5W2C9P0gkuZwq4IzmXrvKe94zFYWtgRoZA18InwUJTvRr9rx4wZXftfK7Ewl riZ7hBBR3caad6Xn7xZgLDVSAmtSvm30R4751exZIRXdIHJ+mPLSHB05mufDgc9ety4H rHX7SZJHZQIk9R+nrkY3KZYN8MH7CZw+Smz9oUZ2p+Q30lyZ3azfidY9D0pnB+ILFHKQ 3Nk/nkxYOBulmFWA0lbPOeTFrDjOP5bzVJPFqzdE9zLv//lovTCQkdzgR+XeDL6/iqW2 hg5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date; bh=E6PbdSxNLJfKezRCZc0ZRNGgkTX//w9L1O7kJQ1V8+s=; b=UKPBviLqLI0xIBgSTn/s16IVgRAsyuRMrBMGwZI0lJYuYW9soDkZyJpUUd7wGKkRZy OUkb9d47YCCpNNg3aHYQ0oi6Bq5Y9zu5GallcqpGAu0UTvFYgTXS0paTW7tY+zEi7iKI ew8LSbCvclIJjXDQQK0TQXlI4sgg31yKApTJCxxFLoRRZNUOQmiqNIXqWulEqKhsNRmK nblycKbM/oD2QY/k0vY8ndDVSQxN2bovEYoEOEFW8OvXeDVoLIXZWVxer+JWI+oZ01qa 56Q88TsgSDIvDigKKbyPsDvGhrO8W3eQKViDby+f6ZLZ4ydyN9/7mi1U2mF8oEStOwyb iAVQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z13si2551150ejp.350.2019.10.31.18.37.13; Thu, 31 Oct 2019 18:37:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728939AbfKABCn (ORCPT + 99 others); Thu, 31 Oct 2019 21:02:43 -0400 Received: from mail104.syd.optusnet.com.au ([211.29.132.246]:58531 "EHLO mail104.syd.optusnet.com.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726793AbfKABCm (ORCPT ); Thu, 31 Oct 2019 21:02:42 -0400 Received: from dimstar.local.net (n122-110-44-45.sun2.vic.optusnet.com.au [122.110.44.45]) by mail104.syd.optusnet.com.au (Postfix) with SMTP id D0B7B43EB0E for ; Fri, 1 Nov 2019 12:02:25 +1100 (AEDT) Received: (qmail 23327 invoked by uid 501); 1 Nov 2019 01:02:25 -0000 Date: Fri, 1 Nov 2019 12:02:25 +1100 From: Duncan Roe To: Steve Grubb Cc: Richard Guy Briggs , Paul Moore , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Subject: Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns Message-ID: <20191101010225.GC18955@dimstar.local.net> Mail-Followup-To: Steve Grubb , Richard Guy Briggs , Paul Moore , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com References: <20191030220320.tnwkaj5gbzchcn7j@madcap2.tricolour.ca> <3677995.NTHC7m0fHc@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3677995.NTHC7m0fHc@x2> User-Agent: Mutt/1.10.1 (2018-07-13) X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.2 cv=D+Q3ErZj c=1 sm=1 tr=0 a=4DzML1vCOQ6Odsy8BUtSXQ==:117 a=4DzML1vCOQ6Odsy8BUtSXQ==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=kj9zAlcOel0A:10 a=MeAgGD-zjQ4A:10 a=wokOCyRbhw6_iYDWPRUA:9 a=CjuIK1q_8ugA:10 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 31, 2019 at 10:50:57AM -0400, Steve Grubb wrote: > Hello, > > TLDR; I see a lot of benefit to switching away from procfs for setting auid & > sessionid. > > On Wednesday, October 30, 2019 6:03:20 PM EDT Richard Guy Briggs wrote: > > > Also, for the record, removing the audit loginuid from procfs is not > > > something to take lightly, if at all; like it or not, it's part of the > > > kernel API. > > It can also be used by tools to iterate processes related to one user or > session. I use this in my Intrusion Prevention System which will land in > audit user space at some point in the future. > > > > Oh, I'm quite aware of how important this change is and it was discussed > > with Steve Grubb who saw the concern and value of considering such a > > disruptive change. > > Actually, I advocated for syscall. I think the gist of Eric's idea was that / > proc is the intersection of many nasty problems. By relying on it, you can't > simplify the API to reduce the complexity. Almost no program actually needs ^^^^^^ ^^ ^^^^^^^ ^^^^^^^^ ^^^^^ > access to /proc. ps does. But almost everything else is happy without it. For > ^^^^^^ ^^ ^^^^^^ ^^ ^^^^^ Eh?? *top* needs /proc/ps, as do most of the programs in package procps-ng. Then there's lsof, pgrep (which doesn't fail but can't find anything) and even lilo (for Slackware ;) > example, when you setup chroot jails, you may have to add /dev/random or / > dev/null, but almost never /proc. What does force you to add /proc is any > entry point daemon like sshd because it needs to set the loginuid. If we > switch away from /proc, then sshd or crond will no longer /require/ procfs to > be available which again simplifies the system design. > > > > Removing proc support for auid/ses would be a > > long-term deprecation if accepted. > > It might need to just be turned into readonly for a while. But then again, > perhaps auid and session should be part of /proc//status? Maybe this can > be done independently and ahead of the container work so there is a migration > path for things that read auid or session. TBH, maybe this should have been > done from the beginning. > > -Steve > Cheers ... Duncan.