Received: by 10.223.164.221 with SMTP id h29csp4453173wrb; Thu, 19 Oct 2017 16:15:37 -0700 (PDT) X-Google-Smtp-Source: ABhQp+TRAXdSubsoC4Tk73TWdmrmW9ipA9ujJDy0nlfLGoq3n69T6NjJmm64Fy6PI2sDX0sJlApI X-Received: by 10.84.129.193 with SMTP id b59mr2682017plb.317.1508454936972; Thu, 19 Oct 2017 16:15:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508454936; cv=none; d=google.com; s=arc-20160816; b=lG/pJLVfQzEpGd20Gbpk6JhxMJv/+PW5zyd3d8AM5XkOiKHdmZs5b/uFtYgQi4Kvfl WteGe0KMssERONY/ljZN73VVB3NSD871eKF5PpkEmzqJraJCUkXKoviHsB8ljowfVYy+ 6aEOLnM8xXc4QVvUhZOfOG3d5aYrChDZmDY4SHGbxvEF4TQveJ18J0bKvMphB/ohxGNw bso25FGXp/Wxgql1uqEc1nsQakdO/A1acM2+ER6q8U6Sp3U5R4CM7nct2UKmIP6fwdfy ReZfPMe/sABwqA9IfCS4bNDvVX9iAcN4qC8Q9vd9XSQtkrZLakLOnLnb5vr+cpTCRrwa pRTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=nKfWlG6+6BcxgPKxS1qEHB3aSQmtJ2uJRzZew3Qt2XQ=; b=WjYW7Hnb012ldKslQxfyccLnd0IM1Pn6J8hkZfkoxU4jy+LQIHr/Ot2ha2wEPpkHih EobY+geqUtua0R+/+bml8lhqbmqQ9ohDJNFKOeikDmcFJThUEMM8g33gzZd7/tQYmwf0 JfVdV/q0YMEFZGi1/d52JZhMYZsnTYMciHlOv2wRbMvsgUXGaCZ2d43uCPh9X+UOfHmj zE9ww2IIuoQsHzsThqAxG7T2G+UjHPJc9bC9S1Mo/PTw5297IN6VH9DSy3uygHdlXMBX hlY/UCG84p8jyR4cY0jwAhkQONPUn8+3pnm1PwtlUnDM07hkDb4PGrBGBQSjksZHrRyc v/Jg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 66si9258893pgh.503.2017.10.19.16.15.23; Thu, 19 Oct 2017 16:15:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752323AbdJSXLv (ORCPT + 99 others); Thu, 19 Oct 2017 19:11:51 -0400 Received: from mx2.suse.de ([195.135.220.15]:41438 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750968AbdJSXLs (ORCPT ); Thu, 19 Oct 2017 19:11:48 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 22ED1AE2A; Thu, 19 Oct 2017 23:11:46 +0000 (UTC) Subject: Re: RFC(v2): Audit Kernel Container IDs To: Richard Guy Briggs , Steve Grubb Cc: mszeredi@redhat.com, trondmy@primarydata.com, Andy Lutomirski , jlayton@redhat.com, Carlos O'Donell , Linux API , Linux Containers , Paul Moore , Linux Kernel , Eric Paris , Al Viro , David Howells , Linux Audit , Simo Sorce , Linux Network Development , Linux FS Devel , cgroups@vger.kernel.org, "Eric W. Biederman" References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <2307769.VGpzlLa4Dp@x2> <20171019195747.4ssujtaj3f5ipsoh@madcap2.tricolour.ca> From: Aleksa Sarai Message-ID: <8f495870-dd6c-23b9-b82b-4228a441c729@suse.de> Date: Fri, 20 Oct 2017 10:11:33 +1100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20171019195747.4ssujtaj3f5ipsoh@madcap2.tricolour.ca> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >>> The registration is a pseudo filesystem (proc, since PID tree already >>> exists) write of a u8[16] UUID representing the container ID to a file >>> representing a process that will become the first process in a new >>> container. This write might place restrictions on mount namespaces >>> required to define a container, or at least careful checking of >>> namespaces in the kernel to verify permissions of the orchestrator so it >>> can't change its own container ID. A bind mount of nsfs may be >>> necessary in the container orchestrator's mntNS. >>> Note: Use a 128-bit scalar rather than a string to make compares faster >>> and simpler. >>> >>> Require a new CAP_CONTAINER_ADMIN to be able to carry out the >>> registration. >> >> Wouldn't CAP_AUDIT_WRITE be sufficient? After all, this is for auditing. > > No, because then any process with that capability (vsftpd) could change > its own container ID. This is discussed more in other parts of the > thread... Not if we make the container ID append-only (to support nesting), or write-once (the other idea thrown around). In that case, you can't move "out" from a particular container ID, you can only go "deeper". These semantics don't make sense for generic containers, but since the point of this facility is *specifically* for audit I imagine that not being able to move a process from a sub-container's ID is a benefit. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/ From 1581717760745287240@xxx Thu Oct 19 20:06:44 +0000 2017 X-GM-THRID: 1581061469540113612 X-Gmail-Labels: Inbox,Category Forums