Received: by 10.223.164.221 with SMTP id h29csp1921408wrb; Thu, 12 Oct 2017 08:46:26 -0700 (PDT) X-Google-Smtp-Source: AOwi7QAXaE8kWpdXP5k4DA/iGU2It/y9qj/zOU3Tc0MMkKUFDQQPRxRAs/gVrHrq1zSQmJTGqP4S X-Received: by 10.99.117.74 with SMTP id f10mr573777pgn.27.1507823186334; Thu, 12 Oct 2017 08:46:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1507823186; cv=none; d=google.com; s=arc-20160816; b=ZaanxVp8TJ3lZHfN7rJ0Jsw0GkkQP18DpzmR4168DrESu0n/SZiOPkt2oAFuTwtqD5 N6XeqlIXv1xGuCRd7djmxtoq6ad7b5q52vlvVNAp3bmMi2h57MLIQS2nWZqjQ/bj1+tf Msvgnd2QeBXj+R9ZMaGs7sh0qFjF6LH0bMvApQ0M3UR/vKlMVsGptcc9OGPvHig/zJsn jX+U3K9eKIQF7u64qL9anhzWbIM0Yj4WzNF74z2BXryIZaEbtvDvEU7XCCv+Aog2mGaW zNk2Lu02eolXOs8t9VapWCrLYVyih1G3/HILJ1HgV3toBpHem2yZ+bxe/9n6fWI8xJCt A2vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dmarc-filter:arc-authentication-results; bh=sxZkbLzGBr2ojX/W2WSTZCtyWLzzorsg1zU41wwWeD8=; b=nzu7sdXBBNIio938/DHABEp2Q19zEgvySusgZ66qBvZ6gzXBZJh12I7f/6nTwzSY7O Ag9ovVh2HGNmcV3PPf5FuTWKITlWpezBypMzHeqX+QhjI4qy61mIVIXMboWPnO3XEtjG 5CRHhQWHWKM5pGiW40miwUMW8nqo8DweIlIlzP5/tSBmly2kUZgxU/RgZA5oKxiyertr nEaKklD+VrpdQtJKHdL/IZ91pycyjAgrRpNHVrlb3sfkNS3xQMqfwquO7pAvugsc+/Hh /cGmZ3bujUhQ02aMpYshxQmJPb3wlyKo+AcOamZp8Mhuz+LpxNDad/BE2fg00SHTQ14n aVpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 198si5039998pgd.292.2017.10.12.08.46.10; Thu, 12 Oct 2017 08:46:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752687AbdJLPpl (ORCPT + 99 others); Thu, 12 Oct 2017 11:45:41 -0400 Received: from mx1.redhat.com ([209.132.183.28]:37910 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751119AbdJLPpj (ORCPT ); Thu, 12 Oct 2017 11:45:39 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 014582D0FA6; Thu, 12 Oct 2017 15:45:38 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 014582D0FA6 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=sgrubb@redhat.com Received: from x2.localnet (ovpn-123-161.rdu2.redhat.com [10.10.123.161]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D384F5C550; Thu, 12 Oct 2017 15:45:25 +0000 (UTC) From: Steve Grubb To: Richard Guy Briggs Cc: cgroups@vger.kernel.org, Linux Containers , Linux API , Linux Audit , Linux FS Devel , Linux Kernel , Linux Network Development , Simo Sorce , Carlos O'Donell , Aristeu Rozanski , David Howells , "Eric W. Biederman" , Eric Paris , jlayton@redhat.com, Andy Lutomirski , mszeredi@redhat.com, Paul Moore , "Serge E. Hallyn" , trondmy@primarydata.com, Al Viro Subject: Re: RFC(v2): Audit Kernel Container IDs Date: Thu, 12 Oct 2017 11:45:24 -0400 Message-ID: <2307769.VGpzlLa4Dp@x2> Organization: Red Hat In-Reply-To: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 12 Oct 2017 15:45:38 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, October 12, 2017 10:14:00 AM EDT Richard Guy Briggs wrote: > Containers are a userspace concept. The kernel knows nothing of them. > > The Linux audit system needs a way to be able to track the container > provenance of events and actions. Audit needs the kernel's help to do > this. > > Since the concept of a container is entirely a userspace concept, a > registration from the userspace container orchestration system initiates > this. This will define a point in time and a set of resources > associated with a particular container with an audit container ID. The requirements for common criteria around containers should be very closely modeled on the requirements for virtualization. It would be the container manager that is responsible for logging the resource assignment events. > The registration is a pseudo filesystem (proc, since PID tree already > exists) write of a u8[16] UUID representing the container ID to a file > representing a process that will become the first process in a new > container. This write might place restrictions on mount namespaces > required to define a container, or at least careful checking of > namespaces in the kernel to verify permissions of the orchestrator so it > can't change its own container ID. A bind mount of nsfs may be > necessary in the container orchestrator's mntNS. > Note: Use a 128-bit scalar rather than a string to make compares faster > and simpler. > > Require a new CAP_CONTAINER_ADMIN to be able to carry out the > registration. Wouldn't CAP_AUDIT_WRITE be sufficient? After all, this is for auditing. > At that time, record the target container's user-supplied > container identifier along with the target container's first process > (which may become the target container's "init" process) process ID > (referenced from the initial PID namespace), all namespace IDs (in the > form of a nsfs device number and inode number tuple) in a new auxilliary > record AUDIT_CONTAINER with a qualifying op=$action field. This would be in addition to the normal audit fields. > Issue a new auxilliary record AUDIT_CONTAINER_INFO for each valid > container ID present on an auditable action or event. > > Forked and cloned processes inherit their parent's container ID, > referenced in the process' task_struct. > > Mimic setns(2) and return an error if the process has already initiated > threading or forked since this registration should happen before the > process execution is started by the orchestrator and hence should not > yet have any threads or children. If this is deemed overly restrictive, > switch all threads and children to the new containerID. > > Trust the orchestrator to judiciously use and restrict CAP_CONTAINER_ADMIN. > > Log the creation of every namespace, inheriting/adding its spawning > process' containerID(s), if applicable. Include the spawning and > spawned namespace IDs (device and inode number tuples). > [AUDIT_NS_CREATE, AUDIT_NS_DESTROY] [clone(2), unshare(2), setns(2)] > Note: At this point it appears only network namespaces may need to track > container IDs apart from processes since incoming packets may cause an > auditable event before being associated with a process. > > Log the destruction of every namespace when it is no longer used by any > process, include the namespace IDs (device and inode number tuples). > [AUDIT_NS_DESTROY] [process exit, unshare(2), setns(2)] In the virtualization requirements, we only log removal of resources when something is removed by intention. If the VM shuts down, the manager issues a VIRT_CONTROL stop event and the user space utilities knows this means all resources have been unassigned. > Issue a new auxilliary record AUDIT_NS_CHANGE listing (opt: op=$action) > the parent and child namespace IDs for any changes to a process' > namespaces. [setns(2)] > Note: It may be possible to combine AUDIT_NS_* record formats and > distinguish them with an op=$action field depending on the fields > required for each message type. > > When a container ceases to exist because the last process in that > container has exited and hence the last namespace has been destroyed and > its refcount dropping to zero, log the fact. > (This latter is likely needed for certification accountability.) A > container object may need a list of processes and/or namespaces. > > A namespace cannot directly migrate from one container to another but > could be assigned to a newly spawned container. A namespace can be > moved from one container to another indirectly by having that namespace > used in a second process in another container and then ending all the > processes in the first container. I'm thinking that there needs to be a clear delineation between what the container manager is responsible for and what the kernel needs to do. The kernel needs the registration system and to associate an identifier with events inside the container. But would the container manager be mostly responsible for auditing the events described here: https://github.com/linux-audit/audit-documentation/wiki/SPEC-Virtualization-Manager-Guest-Lifecycle-Events Also, we can already audit exit, unshare, setns, and clone. If the kernel just sticks the identifier on them, isn't that sufficient? -Steve > (v2) > - switch from u64 to u128 UUID > - switch from "signal" and "trigger" to "register" > - restrict registration to single process or force all threads and children > into same container > > - RGB > > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 From 1581061469540113612@xxx Thu Oct 12 14:15:16 +0000 2017 X-GM-THRID: 1581061469540113612 X-Gmail-Labels: Inbox,Category Forums