Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1484939ybv; Thu, 6 Feb 2020 05:02:07 -0800 (PST) X-Google-Smtp-Source: APXvYqwbrZhjrdwwiF/1+IpiGcV7mHm37dslrd0n6y5K/b4GeD3VMP31BBHxEazcBHSE3rn5cxe0 X-Received: by 2002:aca:1708:: with SMTP id j8mr6824300oii.166.1580994127108; Thu, 06 Feb 2020 05:02:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580994127; cv=none; d=google.com; s=arc-20160816; b=KanSdAzzGkGZb5PL1WwuyMp4ZaUi2YmjFACbz8tGnOxS/VrgkMsNFp8wOjYpygiina ZYkmfxiJYtWmxBddS/AyzI2xhth62AYbB1t0O/U6ufk26D24LBNwaQ3oxMT/Es5OQ1Hd O1e9YRLIpBr6yxa7dyILpL20HXbWyFWy9V8HqZo5Pxgz82cYlidGBgJeAQHYJt2OSufA 6CI56ihtiOvR03aYbIdbtpGJ/1Bgv6CWcW59SSbpjKFJdExdNC26CmXQ/ViJbCmpx67H VYkZdjGJaFkn6qQOzbllsmpTaFITvfF5Gzh1bQ+je/SDIT+xNUyQ59RhAY7wFsXuozb+ 4/hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=+cSUL+K/rXHlYkmV2kRSp+5Fbri1CKFQQdzfpWgF9qI=; b=kub+WGI0kOydjPadRDzTITQq6DXTLs6S+cNb/vUlw1N3u8z9fipnaeCceTlZuXv/pb pYCPVDJ27PXVzLgdaQhJo9cxbJhgVJB5vwprM9R93ixZIcd3zZjUAMyslqdHdMhX45k4 vyqaRhE3HvafIcEm+BLhznan8F9uh2GtVsJYitjm1oiGTwfRpAj4f/D3D1CFBDFW2v0P LIJXb3koRtjroLSm8xLnA5Qenl2r6mIGcDA2d9vIY7JU/GATzq5G4u5x/njb01zmUZgF DQSS5oZNI/SlpdwVgPJbXdmCaSLrxC/mYb2frsSzDKsv/q4t6+SOrSAlPWjWvwGf/M4k jufg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="PVmS/Sek"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k4si1884745otp.186.2020.02.06.05.01.52; Thu, 06 Feb 2020 05:02:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="PVmS/Sek"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728122AbgBFMwD (ORCPT + 99 others); Thu, 6 Feb 2020 07:52:03 -0500 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:55677 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727585AbgBFMwD (ORCPT ); Thu, 6 Feb 2020 07:52:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1580993521; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=+cSUL+K/rXHlYkmV2kRSp+5Fbri1CKFQQdzfpWgF9qI=; b=PVmS/Sek408PEZhufLV1YQFOEDdrpEF3AnR3T0HeBBpG7fVa0FmErAtyF7bqRDs5Sd/FnR zcVKb9B0O8VyUd+W7dzCdfdo0ZJ5HiFWtN/2rkXMpoZkzY/kbJY7CDYUSsoLb2zRh/IKzn P7RIS+OaVgI5AerYbDQQAxUCe7sr1Nc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-237-c1iio9CtNYqKXzNuxDsi6w-1; Thu, 06 Feb 2020 07:51:53 -0500 X-MC-Unique: c1iio9CtNYqKXzNuxDsi6w-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 943A08C2FF4; Thu, 6 Feb 2020 12:51:50 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-16.rdu2.redhat.com [10.10.112.16]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4ACB65C1B0; Thu, 6 Feb 2020 12:51:37 +0000 (UTC) Date: Thu, 6 Feb 2020 07:51:35 -0500 From: Richard Guy Briggs To: Paul Moore Cc: nhorman@tuxdriver.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, LKML , dhowells@redhat.com, Linux-Audit Mailing List , netfilter-devel@vger.kernel.org, ebiederm@xmission.com, simo@redhat.com, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, Eric Paris , mpatel@redhat.com, Serge Hallyn Subject: Re: [PATCH ghak90 V8 16/16] audit: add capcontid to set contid outside init_user_ns Message-ID: <20200206125135.u4dmybkmvxfgui2b@madcap2.tricolour.ca> References: <5941671b6b6b5de28ab2cc80e72f288cf83291d5.1577736799.git.rgb@redhat.com> <20200205003930.2efpm4tvrisgmj4t@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-02-05 17:56, Paul Moore wrote: > On Tue, Feb 4, 2020 at 7:39 PM Richard Guy Briggs wrote: > > On 2020-01-22 16:29, Paul Moore wrote: > > > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > > > > > > > Provide a mechanism similar to CAP_AUDIT_CONTROL to explicitly give a > > > > process in a non-init user namespace the capability to set audit > > > > container identifiers. > > > > > > > > Provide /proc/$PID/audit_capcontid interface to capcontid. > > > > Valid values are: 1==enabled, 0==disabled > > > > > > It would be good to be more explicit about "enabled" and "disabled" in > > > the commit description. For example, which setting allows the target > > > task to set audit container IDs of it's children processes? > > > > Ok... > > > > > > Report this action in message type AUDIT_SET_CAPCONTID 1022 with fields > > > > opid= capcontid= old-capcontid= > > > > > > > > Signed-off-by: Richard Guy Briggs > > > > --- > > > > fs/proc/base.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++ > > > > include/linux/audit.h | 14 ++++++++++++ > > > > include/uapi/linux/audit.h | 1 + > > > > kernel/audit.c | 35 +++++++++++++++++++++++++++++ > > > > 4 files changed, 105 insertions(+) > > ... > > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > > > index 1287f0b63757..1c22dd084ae8 100644 > > > > --- a/kernel/audit.c > > > > +++ b/kernel/audit.c > > > > @@ -2698,6 +2698,41 @@ static bool audit_contid_isowner(struct task_struct *tsk) > > > > return false; > > > > } > > > > > > > > +int audit_set_capcontid(struct task_struct *task, u32 enable) > > > > +{ > > > > + u32 oldcapcontid; > > > > + int rc = 0; > > > > + struct audit_buffer *ab; > > > > + > > > > + if (!task->audit) > > > > + return -ENOPROTOOPT; > > > > + oldcapcontid = audit_get_capcontid(task); > > > > + /* if task is not descendant, block */ > > > > + if (task == current) > > > > + rc = -EBADSLT; > > > > + else if (!task_is_descendant(current, task)) > > > > + rc = -EXDEV; > > > > > > See my previous comments about error code sanity. > > > > I'll go with EXDEV. > > > > > > + else if (current_user_ns() == &init_user_ns) { > > > > + if (!capable(CAP_AUDIT_CONTROL) && !audit_get_capcontid(current)) > > > > + rc = -EPERM; > > > > > > I think we just want to use ns_capable() in the context of the current > > > userns to check CAP_AUDIT_CONTROL, yes? Something like this ... > > > > I thought we had firmly established in previous discussion that > > CAP_AUDIT_CONTROL in anything other than init_user_ns was completely irrelevant > > and untrustable. > > In the case of a container with multiple users, and multiple > applications, one being a nested orchestrator, it seems relevant to > allow that container to control which of it's processes are able to > exercise CAP_AUDIT_CONTROL. Granted, we still want to control it > within the overall host, e.g. the container in question must be > allowed to run a nested orchestrator, but allowing the container > itself to provide it's own granularity seems like the right thing to > do. Looking back to discussion on the v6 patch 2/10 (2019-05-30 15:29 Paul Moore[1], 2019-07-08 14:05 RGB[2]) , it occurs to me that the ns_capable(CAP_AUDIT_CONTROL) application was dangerous since there was no parental accountability in storage or reporting. Now that is in place, it does seem a bit more reasonable to allow it, but I'm still not clear on why we would want both mechanisms now. I don't understand what the last line in that email meant: "We would probably still want a ns_capable(CAP_AUDIT_CONTROL) restriction in this case." Allow ns_capable(CAP_AUDIT_CONTROL) to govern these actions, or restrict ns_capable(CAP_AUDIT_CONTROL) from being used to govern these actions? If an unprivileged user has been given capcontid to be able run their own container orchestrator/engine and spawns a user namespace with CAP_AUDIT_CONTROL, what matters is capcontid, and not CAP_AUDIT_CONTROL. I could see needing CAP_AUDIT_CONTROL *in addition* to capcontid to give it finer grained control, but since capcontid would have to be given to each process explicitly anways, I don't see the point. If that unprivileged user had not been given capcontid, giving itself or one of its descendants CAP_AUDIT_CONTROL should not let it jump into the game all of a sudden unless the now chained audit container identifiers are deemed accountable enough. And then now we need those hard limits on container depth and network namespace container membership. > > > if (current_user_ns() != &init_user_ns) { > > > if (!ns_capable(CAP_AUDIT_CONTROL) || !audit_get_capcontid()) > > > rc = -EPERM; > > > } else if (!capable(CAP_AUDIT_CONTROL)) > > > rc = -EPERM; > > > > > paul moore [1] https://www.redhat.com/archives/linux-audit/2019-May/msg00085.html https://lkml.org/lkml/2019/5/30/1380 [2] https://www.redhat.com/archives/linux-audit/2019-July/msg00003.html https://lkml.org/lkml/2019/7/8/1051 - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635