Received: by 10.223.164.221 with SMTP id h29csp2744707wrb; Wed, 18 Oct 2017 06:17:45 -0700 (PDT) X-Google-Smtp-Source: AOwi7QDCsYFngeOVCD9mm38S7hGRylQ96LRwvb+6SGxnffFE1HuJe06SyBkGgbVp3+/zIVNCYv8G X-Received: by 10.98.53.1 with SMTP id c1mr15073282pfa.248.1508332665340; Wed, 18 Oct 2017 06:17:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508332665; cv=none; d=google.com; s=arc-20160816; b=PAYFgXv+eRN/cZt8fx0ULrw2qrS/dhUl+2lHH5NSCbvTbDh3tp7lvwdeO17xApqVVb PcHlVMHbiZrv7NtSGg5HZ50Gf31IlJLfFniaaZdJBZhQhYCf9i5XZRVpfbY7vMuAWsgW f/NlP8L/t+Y2sBuJQX+mOVNJZWOOuNmu5OsqrrM5gYnOZo3V+wQ5tUqaEvdu//1fSdHH BdkHBJr2Vf3pkfIHmQuBQi1JhwaQxr8+WD6tiuedLsOpyZKwjhEKPKurOkMSoz01JV+e t5uQ2QuSxeE3j7Rd7Pgol+JLDoPtnGkBIDFvYsDG3dfTmezpqXn6ICHxHmNPuIm6mBit YUlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dmarc-filter:arc-authentication-results; bh=oX5571+yZvfEctYCS9w0MfPbLKXfukCeuIDiI9t9WK0=; b=dwLJQdHsDVBmXbIxvm8vd4RnGYjdW/lfY4XgEu7nNu2+n3Hti/a4b9Pzk06k50ulPY 3tb6Qp/z0Ztqjx/vrrketwLyjb0lhnptycwhMmpzcYct16HF1OzDGGvRVXeKpu+YBAHj 1lU7N5u4WzvGKDit89h62BQW28F21OkZqO3oGk0NB1fiAK0c/RvxREnV3pSDo9+dXpGB eTa7PgAgv6H5FRMy47srlNcQvHk4ft3Ym32FPUrjZxByCNoNA7+dS5AvAFRMAG0yd3Oe bkcU62gtKyqkFEXulXZxqHKvtmPTCkNt5o72ky9Evfj+InYZ+hwOttVsnpHULZ09sfew I9Vw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j21si898066pfa.266.2017.10.18.06.17.31; Wed, 18 Oct 2017 06:17:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758214AbdJRAXO (ORCPT + 99 others); Tue, 17 Oct 2017 20:23:14 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57504 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754578AbdJRAXM (ORCPT ); Tue, 17 Oct 2017 20:23:12 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B648A12B98; Wed, 18 Oct 2017 00:23:11 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B648A12B98 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=sgrubb@redhat.com Received: from x2.localnet (ovpn-123-220.rdu2.redhat.com [10.10.123.220]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DFCCA619D7; Wed, 18 Oct 2017 00:23:04 +0000 (UTC) From: Steve Grubb To: James Bottomley Cc: Casey Schaufler , mszeredi@redhat.com, David Howells , Andy Lutomirski , jlayton@redhat.com, Carlos O'Donell , Linux API , Linux Containers , Linux Kernel , Eric Paris , linux-audit@redhat.com, "Eric W. Biederman" , Simo Sorce , cgroups@vger.kernel.org, Linux FS Devel , trondmy@primarydata.com, Linux Network Development , Al Viro Subject: Re: RFC(v2): Audit Kernel Container IDs Date: Tue, 17 Oct 2017 20:23:01 -0400 Message-ID: <16761682.puRDTGPHq7@x2> Organization: Red Hat In-Reply-To: <1508263063.3129.35.camel@HansenPartnership.com> References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <1982291.vr6V9CPzqu@x2> <1508263063.3129.35.camel@HansenPartnership.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Wed, 18 Oct 2017 00:23:12 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tuesday, October 17, 2017 1:57:43 PM EDT James Bottomley wrote: > > > > The idea is that processes spawned into a container would be > > > > labelled by the container orchestration system. It's unclear > > > > what should happen to processes using nsenter after the fact, but > > > > policy for that should be up to the orchestration system. > > > > > > I'm fine with that. The user space policy can be anything y'all > > > like. > > > > I think there should be a login event. > > I thought you wanted this for containers? Container creation doesn't > have login events. In an unprivileged orchestration system it may be > hard to synthetically manufacture them. I realize this. This work is very similar to problems we've solved 12 years ago. We'll figure out what the right name is for it down the road. But the concept is the same. If something enters a container, we need to know about it. It needs to get tagged and be associated with the container. The way this was solved for the loginuid problem was to add a session identifier so that new logins of the same loginuid can coexist and we can trace actions back to a specific login. I'd think we can apply lessons learned from a while back to make container identification act similarly. -Steve From 1581594450686166292@xxx Wed Oct 18 11:26:46 +0000 2017 X-GM-THRID: 1581061469540113612 X-Gmail-Labels: Inbox,Category Forums