Received: by 10.223.164.221 with SMTP id h29csp4454982wrb; Thu, 19 Oct 2017 16:18:39 -0700 (PDT) X-Google-Smtp-Source: ABhQp+SZFXeFeMAnEuMUVrMStqCwQ4dm+61mtMbDfcKHU7w6R3Yr8MFB9eK0FYPO/ycRC4+S2ahA X-Received: by 10.159.218.135 with SMTP id w7mr2698651plp.229.1508455119376; Thu, 19 Oct 2017 16:18:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508455119; cv=none; d=google.com; s=arc-20160816; b=GmsQdnHYqwbi+lvpFe13TZRP/Zz15s4wdJxkVoCYADpGZQYUWiy0kjX8I7mdwJgrmC D2cP1Du9HJj3jMrVfehCZb59tuQNtjD0xlwwTYwfPJ/SwdyfGpQgChifNPtfDsuIFtgp ylDwYbyxS7j5Xev5koL/uHiy8V/7gsuIQma/Wun2CEifGnx4QL87SZSFq+qZjjTALzYW b+urW2UwNj6D6S4sZlpbbA3d777jaHQdxcFncW42pY0SPVkSxxNkv/b7f6yZ828CiYJh t2Au8DHb8/1awXTb+9cyubJo/hzQx9CS5TdfH7DFZxxwhadKwgnZRs1n3ojHv8LtfJ7k AMDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:from:subject:arc-authentication-results; bh=Xs9QyLXoXjk1h65X/OZNXT6ltcuuJoRBVX1WgKafA/k=; b=D4NvJrtMcpe3ZFCpvxBQvBuWhX6jM9ompP4akEjFz3YQJ0ZznuYFinYOhQNSzowii4 6Jmku4y6M5ETcaMJ9fx58u1yI8/8gLE140LQ1ilIVdN2xF/WGRrntB5MF80PMBzH+Mo8 JgL0eFHF02TqPOV6gzkmI6kfCY3CGdTJIkbiGPfNIs940aKtdPMjivpId3D29juMRdLo nDZBKY5pOh+1wChObfXJdFCkurix9XADu7rEG2S1lxRGLMIAh4SHuKzg8NTqwGB9sLq/ W2Pt9EGeRzPAQZZx84CBTQOMmm9PyaQhVijNk8d5AACUzaYNPib7x7wmH8jiQfhwWiQu 42RA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v2si9294087pgo.163.2017.10.19.16.18.25; Thu, 19 Oct 2017 16:18:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751473AbdJSXPj (ORCPT + 99 others); Thu, 19 Oct 2017 19:15:39 -0400 Received: from mx2.suse.de ([195.135.220.15]:41674 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751244AbdJSXPh (ORCPT ); Thu, 19 Oct 2017 19:15:37 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id ECCE4ACD3; Thu, 19 Oct 2017 23:15:35 +0000 (UTC) Subject: Re: RFC(v2): Audit Kernel Container IDs From: Aleksa Sarai To: Richard Guy Briggs , Steve Grubb Cc: cgroups@vger.kernel.org, mszeredi@redhat.com, David Howells , Simo Sorce , jlayton@redhat.com, Carlos O'Donell , Linux API , Linux Containers , Linux Kernel , Paul Moore , Linux Audit , Al Viro , Andy Lutomirski , Eric Paris , Linux FS Devel , trondmy@primarydata.com, Linux Network Development , "Eric W. Biederman" References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <2307769.VGpzlLa4Dp@x2> <20171019195747.4ssujtaj3f5ipsoh@madcap2.tricolour.ca> <8f495870-dd6c-23b9-b82b-4228a441c729@suse.de> Message-ID: Date: Fri, 20 Oct 2017 10:15:25 +1100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <8f495870-dd6c-23b9-b82b-4228a441c729@suse.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >>>> The registration is a pseudo filesystem (proc, since PID tree already >>>> exists) write of a u8[16] UUID representing the container ID to a file >>>> representing a process that will become the first process in a new >>>> container.  This write might place restrictions on mount namespaces >>>> required to define a container, or at least careful checking of >>>> namespaces in the kernel to verify permissions of the orchestrator >>>> so it >>>> can't change its own container ID.  A bind mount of nsfs may be >>>> necessary in the container orchestrator's mntNS. >>>> Note: Use a 128-bit scalar rather than a string to make compares faster >>>> and simpler. >>>> >>>> Require a new CAP_CONTAINER_ADMIN to be able to carry out the >>>> registration. >>> >>> Wouldn't CAP_AUDIT_WRITE be sufficient? After all, this is for auditing. >> >> No, because then any process with that capability (vsftpd) could change >> its own container ID.  This is discussed more in other parts of the >> thread... > > Not if we make the container ID append-only (to support nesting), or > write-once (the other idea thrown around). In that case, you can't move > "out" from a particular container ID, you can only go "deeper". These > semantics don't make sense for generic containers, but since the point > of this facility is *specifically* for audit I imagine that not being > able to move a process from a sub-container's ID is a benefit. [This assumes it's CAP_AUDIT_CONTROL which is what we are discussing in a sister thread.] -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/ From 1581729643801333985@xxx Thu Oct 19 23:15:36 +0000 2017 X-GM-THRID: 1581061469540113612 X-Gmail-Labels: Inbox,Category Forums