From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1423437AbbEOCLb (ORCPT ); Thu, 14 May 2015 22:11:31 -0400 Received: from mx1.redhat.com ([209.132.183.28]:36399 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1423169AbbEOCLa (ORCPT ); Thu, 14 May 2015 22:11:30 -0400 Date: Thu, 14 May 2015 22:11:26 -0400 From: Richard Guy Briggs To: Oren Laadan Cc: Steve Grubb , linux-api@vger.kernel.org, Linux Containers , linux-kernel , viro@zeniv.linux.org.uk, pmoore@redhat.com, linux-audit@redhat.com, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, eparis@parisplace.org, zohar@linux.vnet.ibm.com, Eric Biederman Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances Message-ID: <20150515021126.GA965@madcap2.tricolour.ca> References: <2487286.y6vyJ9A3er@x2> <20150512195759.GA9832@madcap2.tricolour.ca> <2918460.dpKocsKt4o@x2> <20150515004855.GB10526@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 15/05/14, Oren Laadan wrote: > On Thu, May 14, 2015 at 8:48 PM, Richard Guy Briggs wrote: > > > > > > > > Recording each instance of a name space is giving me something that I > > > > > cannot use to do queries required by the security target. Given these > > > > > events, how do I locate a web server event where it accesses a > > watched > > > > > file? That authentication failed? That an update within the container > > > > > failed? > > > > > > > > > > The requirements are that we have to log the creation, suspension, > > > > > migration, and termination of a container. The requirements are not > > on > > > > > the individual name space. > > > > > > > > Ok. Do we have a robust definition of a container? > > > > > > We call the combination of name spaces, cgroups, and seccomp rules a > > > container. > > > > Can you detail what information is required from each? > > > > > > Where is that definition managed? > > > > > > In the thing that invokes a container. > > > > I was looking for a reference to a standards document rather than an > > application... > > > > > [focusing on "containers id" - snipped the rest away] > > I am unfamiliar with the audit subsystem, but work with namespaces in other > contexts. Perhaps the term "container" is overloaded here. The definition > suggested by Steve in this thread makes sense to me: "a combination of > namespaces". I imagine people may want to audit subsets of namespaces. I assume it would be a bit more than that, including cgroup and seccomp info. > For namespaces, can use a string like "A:B:C:D:E:F" as an identifier for a > particular combination, where A-F are respective namespaces identifiers. > (Can be taken for example from /proc/PID/ns/{mnt,uts,ipc,user,pid,net}). > That will even be grep-able to locate records related to a particular > subset > of namespaces. So a "container" in the classic meaning would have all A-F > unique and different from the init process, but processes separated only by > e.g. mnt-ns and net-ns will differ from the init process in A and F. > > (If a string is a no go, then perhaps combine the IDs in a unique way into a > super ID). I'd be fine with either, even including the nsfs deviceID. > Oren. - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances Date: Thu, 14 May 2015 22:11:26 -0400 Message-ID: <20150515021126.GA965@madcap2.tricolour.ca> References: <2487286.y6vyJ9A3er@x2> <20150512195759.GA9832@madcap2.tricolour.ca> <2918460.dpKocsKt4o@x2> <20150515004855.GB10526@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Steve Grubb , linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Linux Containers , linux-kernel , viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org, pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org, Eric Biederman To: Oren Laadan Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: netdev.vger.kernel.org On 15/05/14, Oren Laadan wrote: > On Thu, May 14, 2015 at 8:48 PM, Richard Guy Briggs wrote: > > > > > > > > Recording each instance of a name space is giving me something that I > > > > > cannot use to do queries required by the security target. Given these > > > > > events, how do I locate a web server event where it accesses a > > watched > > > > > file? That authentication failed? That an update within the container > > > > > failed? > > > > > > > > > > The requirements are that we have to log the creation, suspension, > > > > > migration, and termination of a container. The requirements are not > > on > > > > > the individual name space. > > > > > > > > Ok. Do we have a robust definition of a container? > > > > > > We call the combination of name spaces, cgroups, and seccomp rules a > > > container. > > > > Can you detail what information is required from each? > > > > > > Where is that definition managed? > > > > > > In the thing that invokes a container. > > > > I was looking for a reference to a standards document rather than an > > application... > > > > > [focusing on "containers id" - snipped the rest away] > > I am unfamiliar with the audit subsystem, but work with namespaces in other > contexts. Perhaps the term "container" is overloaded here. The definition > suggested by Steve in this thread makes sense to me: "a combination of > namespaces". I imagine people may want to audit subsets of namespaces. I assume it would be a bit more than that, including cgroup and seccomp info. > For namespaces, can use a string like "A:B:C:D:E:F" as an identifier for a > particular combination, where A-F are respective namespaces identifiers. > (Can be taken for example from /proc/PID/ns/{mnt,uts,ipc,user,pid,net}). > That will even be grep-able to locate records related to a particular > subset > of namespaces. So a "container" in the classic meaning would have all A-F > unique and different from the init process, but processes separated only by > e.g. mnt-ns and net-ns will differ from the init process in A and F. > > (If a string is a no go, then perhaps combine the IDs in a unique way into a > super ID). I'd be fine with either, even including the nsfs deviceID. > Oren. - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545