Received: by 10.223.164.221 with SMTP id h29csp4576951wrb; Thu, 19 Oct 2017 19:26:57 -0700 (PDT) X-Google-Smtp-Source: ABhQp+QY0gUWKMaUuufN1duq4FKjoI9cHoCbAJ65gzaMBTQyZbgfKwSSAw5aIicDOvWgrZWappKk X-Received: by 10.159.218.135 with SMTP id w7mr3011047plp.229.1508466417365; Thu, 19 Oct 2017 19:26:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508466417; cv=none; d=google.com; s=arc-20160816; b=WLbLL5EpnAnp0rMIEqrWr33imWLLv+KaLdD/fOavMcJb9C6p0TtRRgV4GMH2WwGFba C5mmN4K6euaEjPejhRO5VlQc/4jxon/Jms+sxLtDdFzRLRaVYoGey7lEyGpb3XJI0hKN KuolakixeFGmOjDcjmUUktayjAzQx+8ZQd8WrJJgn0w4/Y01tBd/pMMXx0EKR8jXWR0g c6s8KJSwxQhRN7M9vEni8LwkqrG4Bx3p/TL1ZNoYNdBAIKyr5xb5GqwKtECy0gfWN7qn sDDjRXONig7Vod0+jjVuHtgxrPZnakGJq/ZbLDyQWCeukIyzRHLpxajg8mrt/ZQVa/F4 A0og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dmarc-filter:arc-authentication-results; bh=Ortc5MZR680TWhdIpU++3DHbyA9ngdQ/3wEi+Aisylg=; b=RMtO3hj+tsv39SQ+z/0PUedX9mF7M+SSwi234dwyZtnSzG1MFqBH/ylVBzzK7apKja GdAj0v+Uu06b1flu/HxfWgDUGGLxo/dluixPvuCUcOteXwsJfJpZh4B+7uhvj6iKE+zT Vq5XsBv9qs3siIQiRkcnr5gyRVGBMDKeZ8f6gfYZFxTER0htBBqC5GEeQvs/m2d0v0i9 QpZGrwZ1RtkU9ftLA2A0am8bQOXpgBl5xBtMFrM4EnHW13pVxCNJag/J6l8LL5WBm35a hSKj1YEedqXGNWL91yF75HQcwOF5nfaYowt8nFOCF/EzGFpFL7qQIahjYcrGO7GZcH+K bhaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c16si9471061pgu.476.2017.10.19.19.26.43; Thu, 19 Oct 2017 19:26:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751909AbdJTC0N (ORCPT + 99 others); Thu, 19 Oct 2017 22:26:13 -0400 Received: from mx1.redhat.com ([209.132.183.28]:47546 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751712AbdJTC0K (ORCPT ); Thu, 19 Oct 2017 22:26:10 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CAC6BC0587D9; Fri, 20 Oct 2017 02:26:09 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com CAC6BC0587D9 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=sgrubb@redhat.com Received: from x2.localnet (ovpn-120-218.rdu2.redhat.com [10.10.120.218]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EA51D5D753; Fri, 20 Oct 2017 02:26:00 +0000 (UTC) From: Steve Grubb To: Aleksa Sarai Cc: Richard Guy Briggs , mszeredi@redhat.com, trondmy@primarydata.com, Andy Lutomirski , jlayton@redhat.com, Carlos O'Donell , Linux API , Linux Containers , Paul Moore , Linux Kernel , Eric Paris , Al Viro , David Howells , Linux Audit , Simo Sorce , Linux Network Development , Linux FS Devel , cgroups@vger.kernel.org, "Eric W. Biederman" Subject: Re: RFC(v2): Audit Kernel Container IDs Date: Thu, 19 Oct 2017 22:25:54 -0400 Message-ID: <2180320.n4TdndeGoA@x2> Organization: Red Hat In-Reply-To: <8f495870-dd6c-23b9-b82b-4228a441c729@suse.de> References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <20171019195747.4ssujtaj3f5ipsoh@madcap2.tricolour.ca> <8f495870-dd6c-23b9-b82b-4228a441c729@suse.de> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Fri, 20 Oct 2017 02:26:10 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, October 19, 2017 7:11:33 PM EDT Aleksa Sarai wrote: > >>> The registration is a pseudo filesystem (proc, since PID tree already > >>> exists) write of a u8[16] UUID representing the container ID to a file > >>> representing a process that will become the first process in a new > >>> container. This write might place restrictions on mount namespaces > >>> required to define a container, or at least careful checking of > >>> namespaces in the kernel to verify permissions of the orchestrator so it > >>> can't change its own container ID. A bind mount of nsfs may be > >>> necessary in the container orchestrator's mntNS. > >>> Note: Use a 128-bit scalar rather than a string to make compares faster > >>> and simpler. > >>> > >>> Require a new CAP_CONTAINER_ADMIN to be able to carry out the > >>> registration. > >> > >> Wouldn't CAP_AUDIT_WRITE be sufficient? After all, this is for auditing. > > > > No, because then any process with that capability (vsftpd) could change > > its own container ID. This is discussed more in other parts of the > > thread... For the record, I changed my mind. CAP_AUDIT_CONTROL is the correct capability. > Not if we make the container ID append-only (to support nesting), or > write-once (the other idea thrown around). Well...I like to use lessons learned if they can be applied. In the normal world without containers we have uid, auid, and session_id. uid is who you are now, auid is how you got into the system, session_id distinguishes individual auids. We have a default auid of -1 for system objects and a real number for people. I think there should be the equivalent of auid and session_id but tailored for containers. Loginuid == container id. It can be set, overridden, or appended to (we'll figure this out later) in very limited circumstances. Container_session == session which is tamper-proof. This way things can enter a container with the same ID but under a different session. And everything else gets to inherit the original ID. This way we can trace actions to something that entered the container rather than normal system activity in the container. What a security officer wants to know is what did people do inside the system / container. The system objects we typically don't care about. Sure they might get hacked and then work on behalf of someone, but they would almost always pop a shell so that they can have freedom. That should set off an AVC or create other activity that gets picked up. -Steve > In that case, you can't move "out" from a particular container ID, you can > only go "deeper". These semantics don't make sense for generic containers, > but since the point of this facility is *specifically* for audit I imagine > that not being able to move a process from a sub-container's ID is a > benefit. From 1581729834946667104@xxx Thu Oct 19 23:18:39 +0000 2017 X-GM-THRID: 1581061469540113612 X-Gmail-Labels: Inbox,Category Forums