Received: by 10.223.164.221 with SMTP id h29csp2149440wrb;
        Tue, 17 Oct 2017 16:41:09 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+TQLg0jwpRizxrTi6+/dQXxS1OCTMMBMgzj7DimDi0dK0KDjWLwFL4eazjCHo627uPcPb4i
X-Received: by 10.84.142.129 with SMTP id 1mr9725507plx.427.1508283669464;
        Tue, 17 Oct 2017 16:41:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1508283669; cv=none;
        d=google.com; s=arc-20160816;
        b=q7b/JJa15kPE+Crj55Iw+uLNx9SNPatcQRNQHVXvjakVyYfZQ5pOwE4EcieJBGAuyv
         LrqmfDMVtZx1mVlJDloBN8wLqyy/Adqvz8WzxdvFKo+L9YSsLy8+TVvj9Dr8MhXK8EyT
         UIp13BhWXqJY9lpveWNqlrtu4OrQ0EyWFUEMjEfB/t0Op5tvvRbeIOr84ePG/rA8OYtg
         xbWpDeYdRtHcamrJZ6iornP2Pb1j/gBWjINpbocawGLeQqhYWSHsZ1igC22uXszoRZpx
         Aggaep2pwj7s1vX9h5BkT0lyj15/KdkK45OKDb1xc9MYi5GhxHYZh6hxrK0boOeY9Eid
         XYog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :organization:references:in-reply-to:date:cc:to:from:subject
         :message-id:dmarc-filter:arc-authentication-results;
        bh=9haDA7BD0vCuRaFMEAgAmCT+5v7Pf5OqR2WQdiMNAxE=;
        b=YVRZdmN/qtagl5Jbj/jsn1e7Pljhtv4F6741vYAHCI7fKa1FETcXj8ebRXqvXET0pO
         Nu0xQwWZaP0EFIrOUVrvBPjR0cmpOCxbqi98vNuq0cNutVDfV0TMgKFey6AzOOfqHIKg
         +Gt95xxO8eii9V2OBGV84x1Mggeq7KWTUatC4juz1byCM0KvBqpTlmKq6YMqFdod5RDa
         6/QSQRwuajEsn2Ca/YsmlhYVMI2gGSNiRIV3OgK4bvp1Bs6P4Hw5P2hbXnoyu1aSsWuj
         qKvi5sUI7ILqb4ROXEeKg98hCn9gSeqBC93y9JOox55/mBTidzQPwr3FDFcTd4dSyj9c
         2eWg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 102si2254813pld.614.2017.10.17.16.40.55;
        Tue, 17 Oct 2017 16:41:09 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1761801AbdJQMbW (ORCPT <rfc822;vladislav.valtchev@gmail.com>
        + 99 others); Tue, 17 Oct 2017 08:31:22 -0400
Received: from mx1.redhat.com ([209.132.183.28]:5208 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753116AbdJQMbT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Oct 2017 08:31:19 -0400
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 694687E428;
        Tue, 17 Oct 2017 12:31:19 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 694687E428
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=simo@redhat.com
Received: from ovpn-116-110.phx2.redhat.com (ovpn-116-110.phx2.redhat.com [10.3.116.110])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 5132264452;
        Tue, 17 Oct 2017 12:31:10 +0000 (UTC)
Message-ID: <1508243469.6230.24.camel@redhat.com>
Subject: Re: RFC(v2): Audit Kernel Container IDs
From:   Simo Sorce <simo@redhat.com>
To:     Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
Cc:     Richard Guy Briggs <rgb@redhat.com>,
        Casey Schaufler <casey@schaufler-ca.com>, mszeredi@redhat.com,
        "Eric W. Biederman" <ebiederm@xmission.com>, jlayton@redhat.com,
        Carlos O'Donell <carlos@redhat.com>,
        Linux API <linux-api@vger.kernel.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        Linux Kernel <linux-kernel@vger.kernel.org>,
        Eric Paris <eparis@parisplace.org>,
        David Howells <dhowells@redhat.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Andy Lutomirski <luto@kernel.org>,
        Linux Network Development <netdev@vger.kernel.org>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        cgroups@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
        trondmy@primarydata.com
Date:   Tue, 17 Oct 2017 08:31:09 -0400
In-Reply-To: <2319693.5l3M4ZINGd@x2>
References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca>
         <75b7d6a6-42ba-2dff-1836-1091c7c024e7@schaufler-ca.com>
         <20171017003340.whjdkqmkw4lydwy7@madcap2.tricolour.ca>
         <2319693.5l3M4ZINGd@x2>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 17 Oct 2017 12:31:19 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 2017-10-16 at 21:42 -0400, Steve Grubb wrote:
> On Monday, October 16, 2017 8:33:40 PM EDT Richard Guy Briggs wrote:

> > There is such a thing, but the kernel doesn't know about it
> > yet.  This same situation exists for loginuid and sessionid which
> > are userspace concepts that the kernel tracks for the convenience
> > of userspace.  As for its name, I'm not particularly picky, so if
> > you don't like CAP_CONTAINER_* then I'm fine with
> > CAP_AUDIT_CONTAINERID.  It really needs to be distinct from
> > CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL since we don't want to give
> > the ability to set a containerID to any process that is able to do
> > audit logging (such as vsftpd) and similarly we don't want to give
> > the orchestrator the ability to control the setup of the audit
> > daemon.
> 
> A long time ago, we were debating what should guard against rouge
> processes from setting the loginuid. Casey argued that the ability to
> set the loginuid means they have the ability to control the audit
> trail. That means that it should be guarded by CAP_AUDIT_CONTROL. I
> think the same logic applies today. 

The difference is that with loginuid you needed to give processes able
to audit also the ability to change it. You do not want to tie the
ability to change container ids to the ability to audit. You want to be
able to do audit stuff (within the container) without allowing it to
change the container id.
Of course if we made container id a write-once property maybe there is
no need for controls at all, but I'm pretty sure there will be
situations where write-once may not be usable in practice.

> The ability to arbitrarily set a container ID means the process has
> the ability to indirectly control the audit trail.

The container Id can be used also for authorization purposes (by other
processes on the host), not just audit, I think this is why a separate
control has been proposed.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc


From 1581499579445765404@xxx Tue Oct 17 10:18:50 +0000 2017
X-GM-THRID: 1581061469540113612
X-Gmail-Labels: Inbox,Category Forums