Received: by 10.223.164.221 with SMTP id h29csp2619769wrb; Wed, 18 Oct 2017 04:08:02 -0700 (PDT) X-Google-Smtp-Source: AOwi7QCUqgnHAf6oEZpVOvgU7a87fJacODSN9hWzAR3phWaswM6UpAsCYq8vF9Qsy1203FEGt5Iu X-Received: by 10.98.31.73 with SMTP id f70mr14303995pff.183.1508324882776; Wed, 18 Oct 2017 04:08:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1508324882; cv=none; d=google.com; s=arc-20160816; b=nV7o36SntHvtvE2Qvjfoa2u70SVruGboPfqcwYBObl8YWmZ4vynqtaY5EDW6RZcoaW LDVtXHrGYUCcivB5lKD6ig41Abu4KBZ6/5QC0mQptg1YMP8Z6W+knMrBHIjaH1EHgLi0 bN9KXmAKDZ+2bFZU7o585+8BpLMnMwk7xf0EtNCsBk471Me9PGS3VSYZWiWV2vsWNQKU Ll2d6m8f2YPnjoN/7hU66dg9vzR9VT5l6bYnoEddeNwIaM7pX+/pTqspDS+Ep/7FvCRT j39/UI+xfy2YKmOvrgGPTDxsvvKdwoXqtqNADZTbfK0/hth1IezWFIDyCxEzWQ0pDElY 8b3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dmarc-filter:arc-authentication-results; bh=js/Ftg/GeXPGYxswE52yFMx1Gy7LyYtJz2OrvzonPlU=; b=RuCFFlYIRSfFhUp3wHDhAJLUwQyzp4e/yLP+6kGxjNI6mASdk3ZjTy1h8JIOyuCmC6 h7oB52r9QSTGeG2yolUt3aKt+Bp+hozPTzh6GF/68yQievXhPkad2p69jJdnZMybwmmr J50axECTvz86oANi0bLWsvCa5z3GHf1AZnEh7hppwYVRZONXWYYhtWluvGbjnAxWBjFN x/tqCOEr5bzEdQ965eTzssxVCagkzSwHCnOPRcWhBm9Vy7CBsZSPup+RHhOOhHWLcRNx CexMWfK1hUQg8bU9tH0cPXNlnSZUL115CiNtzfQRXDBPLATkL9oX2lgDAdrOo1usV/CC mB3w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f68si7304321pfb.23.2017.10.18.04.07.48; Wed, 18 Oct 2017 04:08:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763437AbdJQRPe (ORCPT + 99 others); Tue, 17 Oct 2017 13:15:34 -0400 Received: from mx1.redhat.com ([209.132.183.28]:47828 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759381AbdJQRPb (ORCPT ); Tue, 17 Oct 2017 13:15:31 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 64D3D7E451; Tue, 17 Oct 2017 17:15:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 64D3D7E451 Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=sgrubb@redhat.com Received: from x2.localnet (ovpn-123-220.rdu2.redhat.com [10.10.123.220]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 876665D96F; Tue, 17 Oct 2017 17:15:04 +0000 (UTC) From: Steve Grubb To: Casey Schaufler Cc: James Bottomley , Simo Sorce , linux-audit@redhat.com, mszeredi@redhat.com, trondmy@primarydata.com, jlayton@redhat.com, Linux API , Linux Containers , Linux Kernel , David Howells , Carlos O'Donell , cgroups@vger.kernel.org, "Eric W. Biederman" , Andy Lutomirski , Linux Network Development , Linux FS Devel , Eric Paris , Al Viro Subject: Re: RFC(v2): Audit Kernel Container IDs Date: Tue, 17 Oct 2017 13:15:00 -0400 Message-ID: <1982291.vr6V9CPzqu@x2> Organization: Red Hat In-Reply-To: References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <1508255091.3129.27.camel@HansenPartnership.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 17 Oct 2017 17:15:31 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote: > > The idea is that processes spawned into a container would be labelled > > by the container orchestration system. It's unclear what should happen > > to processes using nsenter after the fact, but policy for that should > > be up to the orchestration system. > > I'm fine with that. The user space policy can be anything y'all like. I think there should be a login event. > > The label will be used as a tag for audit information. > > Deep breath ... > > Which *is* a kernel security policy mechanism. Since the "label" > is part of the audit information that the kernel is guaranteeing > changing it would be covered by CAP_AUDIT_CONTROL. If the kernel > does not use the "label" for any other purpose this is the only > capability that makes sense for it. I agree. The ability to set the container label grants the ability to evade rules or modify audit rules. CAP_AUDIT_CONTROL makes sense to me. > > I think you were missing label inheritance above. > > > > The security implications are that anything that can change the label > > could also hide itself and its doings from the audit system and thus > > would be used as a means to evade detection. Yes. We have the same problem with loginuid. There are restrictions on who can change it once set. And then we made an immutable flag so that people that want a hard guarantee can get that. -Steve From 1581592012074996591@xxx Wed Oct 18 10:48:00 +0000 2017 X-GM-THRID: 1581061469540113612 X-Gmail-Labels: Inbox,Category Forums