From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org,
Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Linux Kernel
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Eric Paris <eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org>,
Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Linux Audit <linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Simo Sorce <simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Linux Network Development
<netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux FS Devel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Steve Grubb <sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Thu, 12 Oct 2017 12:59:57 -0500 [thread overview]
Message-ID: <8760bkxn4y.fsf@xmission.com> (raw)
In-Reply-To: <20171012141359.saqdtnodwmbz33b2-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> (Richard Guy Briggs's message of "Thu, 12 Oct 2017 10:14:00 -0400")
Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> writes:
> A namespace cannot directly migrate from one container to another but
> could be assigned to a newly spawned container. A namespace can be
> moved from one container to another indirectly by having that namespace
> used in a second process in another container and then ending all the
> processes in the first container.
Ugh no. The semantics here are way too mushy. We need a clean crisp
unambiguous definition or it will be impossible to get this correct and
impossible to use for any security purpose.
I understand the challenge. Some of the container managers share
namespaces between containers. Leading to things that are not really
contained.
Please make this concept like an indellibale die. Once you are stained
with it you can not escape. If you don't meet all of the criteria you
aren't stained.
The justification that I heard, and that seems legitimate is that it is
not timely and it is hard to make the connection between the distinct
unshare, setns, and clone events and what is happening in the kernel.
With that justification definitely the network namespace needs to be
stained if it is appropriate.
I also don't see why this can't be a special dedicated audit message.
I just looked at the code in the kernel and nlmsg_type is a u16. There
are only a handful of audit message types defined. There is absolutely
no reason to bring proc into this.
I have the same reservation as the others about defining a new cap for
this. It should be enough to make setting the container id a one time
thing for a set of processes and namespaces.
If this is going to be security it needs to be very simple and very well defined.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Richard Guy Briggs <rgb@redhat.com>
Cc: cgroups@vger.kernel.org,
Linux Containers <containers@lists.linux-foundation.org>,
Linux API <linux-api@vger.kernel.org>,
Linux Audit <linux-audit@redhat.com>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Linux Kernel <linux-kernel@vger.kernel.org>,
Linux Network Development <netdev@vger.kernel.org>,
Simo Sorce <simo@redhat.com>,
"Carlos O'Donell" <carlos@redhat.com>,
Aristeu Rozanski <arozansk@redhat.com>,
David Howells <dhowells@redhat.com>,
Eric Paris <eparis@parisplace.org>,
jlayton@redhat.com, Andy Lutomirski <luto@kernel.org>,
mszeredi@redhat.com, Paul Moore <pmoore@redhat.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Steve Grubb <sgrubb@redhat.com>,
trondmy@primarydata.com, Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Thu, 12 Oct 2017 12:59:57 -0500 [thread overview]
Message-ID: <8760bkxn4y.fsf@xmission.com> (raw)
In-Reply-To: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> (Richard Guy Briggs's message of "Thu, 12 Oct 2017 10:14:00 -0400")
Richard Guy Briggs <rgb@redhat.com> writes:
> A namespace cannot directly migrate from one container to another but
> could be assigned to a newly spawned container. A namespace can be
> moved from one container to another indirectly by having that namespace
> used in a second process in another container and then ending all the
> processes in the first container.
Ugh no. The semantics here are way too mushy. We need a clean crisp
unambiguous definition or it will be impossible to get this correct and
impossible to use for any security purpose.
I understand the challenge. Some of the container managers share
namespaces between containers. Leading to things that are not really
contained.
Please make this concept like an indellibale die. Once you are stained
with it you can not escape. If you don't meet all of the criteria you
aren't stained.
The justification that I heard, and that seems legitimate is that it is
not timely and it is hard to make the connection between the distinct
unshare, setns, and clone events and what is happening in the kernel.
With that justification definitely the network namespace needs to be
stained if it is appropriate.
I also don't see why this can't be a special dedicated audit message.
I just looked at the code in the kernel and nlmsg_type is a u16. There
are only a handful of audit message types defined. There is absolutely
no reason to bring proc into this.
I have the same reservation as the others about defining a new cap for
this. It should be enough to make setting the container id a one time
thing for a set of processes and namespaces.
If this is going to be security it needs to be very simple and very well defined.
Eric
next prev parent reply other threads:[~2017-10-12 17:59 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-12 14:14 RFC(v2): Audit Kernel Container IDs Richard Guy Briggs
2017-10-12 14:14 ` Richard Guy Briggs
2017-10-12 15:45 ` Steve Grubb
2017-10-19 19:57 ` Richard Guy Briggs
2017-10-19 19:57 ` Richard Guy Briggs
[not found] ` <20171019195747.4ssujtaj3f5ipsoh-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:15 ` Aleksa Sarai
[not found] ` <8f495870-dd6c-23b9-b82b-4228a441c729-l3A5Bk7waGM@public.gmane.org>
2017-10-19 23:15 ` Aleksa Sarai
2017-10-20 2:25 ` Steve Grubb
2017-10-20 2:25 ` Steve Grubb
2017-10-20 2:25 ` Steve Grubb
2017-10-19 19:57 ` Richard Guy Briggs
[not found] ` <20171012141359.saqdtnodwmbz33b2-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-12 15:45 ` Steve Grubb
2017-10-12 16:33 ` Casey Schaufler
2017-10-12 17:59 ` Eric W. Biederman [this message]
2017-10-12 17:59 ` Eric W. Biederman
2017-10-13 13:43 ` Alan Cox
2017-10-12 16:33 ` Casey Schaufler
2017-10-12 16:33 ` Casey Schaufler
2017-10-17 0:33 ` Richard Guy Briggs
2017-10-17 1:10 ` Casey Schaufler
[not found] ` <81c15928-c445-fb8e-251c-bee566fbbf58-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-19 0:05 ` Richard Guy Briggs
2017-10-19 0:05 ` Richard Guy Briggs
2017-10-19 0:05 ` Richard Guy Briggs
[not found] ` <20171019000527.eio6dfsmujmtioyt-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-19 13:32 ` Casey Schaufler
2017-10-19 13:32 ` Casey Schaufler
2017-10-19 13:32 ` Casey Schaufler
2017-10-19 15:51 ` Paul Moore
[not found] ` <18cb69a5-f998-0e6e-85df-7f4b9b768a6f-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-19 15:51 ` Paul Moore
[not found] ` <20171017003340.whjdkqmkw4lydwy7-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-17 1:10 ` Casey Schaufler
2017-10-17 1:42 ` Steve Grubb
2017-10-17 1:42 ` Steve Grubb
2017-10-17 12:31 ` Simo Sorce
2017-10-17 14:59 ` Casey Schaufler
[not found] ` <a07968f6-fef1-f49d-01f1-6c660c0ada20-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-17 15:28 ` Simo Sorce
2017-10-17 15:28 ` Simo Sorce
2017-10-17 15:28 ` Simo Sorce
2017-10-17 15:44 ` James Bottomley
2017-10-17 15:44 ` James Bottomley
2017-10-17 16:43 ` Casey Schaufler
2017-10-17 17:15 ` Steve Grubb
2017-10-17 17:57 ` James Bottomley
2017-10-17 17:57 ` James Bottomley
[not found] ` <1508263063.3129.35.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-10-18 0:23 ` Steve Grubb
2017-10-18 0:23 ` Steve Grubb
[not found] ` <eb96144d-4ab5-7f9f-de18-b296db35a00a-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-17 17:15 ` Steve Grubb
[not found] ` <1508255091.3129.27.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-10-17 16:43 ` Casey Schaufler
2017-10-18 20:56 ` Paul Moore
2017-10-18 20:56 ` Paul Moore
[not found] ` <CAHC9VhRV9m6-APj3ofMQc22rL-WUoDzB8-urUxryszjCHHHLTg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-10-18 23:46 ` Aleksa Sarai
2017-10-18 23:46 ` Aleksa Sarai
[not found] ` <49752b6f-8a77-d1e5-8acb-5a1eed0a992c-l3A5Bk7waGM@public.gmane.org>
2017-10-19 0:43 ` Eric W. Biederman
2017-10-19 0:43 ` Eric W. Biederman
2017-10-19 0:43 ` Eric W. Biederman
2017-10-19 15:36 ` Paul Moore
2017-10-19 15:36 ` Paul Moore
2017-10-19 16:25 ` Eric W. Biederman
2017-10-19 16:25 ` Eric W. Biederman
2017-10-19 17:47 ` Paul Moore
[not found] ` <87y3o7gl5l.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-10-19 17:47 ` Paul Moore
[not found] ` <CAHC9VhTYF-MJm3ejWXE1H-eeXKaNBkeWKwdiKdj093xATYn7nQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-10-19 16:25 ` Eric W. Biederman
[not found] ` <871sm0j7bm.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-10-19 15:36 ` Paul Moore
[not found] ` <1508254120.6230.34.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-10-17 15:44 ` James Bottomley
2017-10-17 16:10 ` Casey Schaufler
2017-10-17 16:10 ` Casey Schaufler
2017-10-18 19:58 ` Paul Moore
[not found] ` <1508243469.6230.24.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-10-17 14:59 ` Casey Schaufler
2017-10-18 19:58 ` Paul Moore
2017-10-17 12:31 ` Simo Sorce
[not found] ` <75b7d6a6-42ba-2dff-1836-1091c7c024e7-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-17 0:33 ` Richard Guy Briggs
2017-12-09 10:20 ` Mickaël Salaün
2017-12-09 10:20 ` Mickaël Salaün
2017-12-09 10:20 ` Mickaël Salaün
2017-12-09 18:28 ` Casey Schaufler
2017-12-09 18:28 ` Casey Schaufler
2017-12-09 18:28 ` Casey Schaufler
2017-12-11 16:30 ` Eric Paris
2017-12-11 16:52 ` Casey Schaufler
[not found] ` <1513009857.6310.337.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-12-11 16:52 ` Casey Schaufler
2017-12-11 19:37 ` Steve Grubb
2017-12-11 19:37 ` Steve Grubb
2017-12-11 19:37 ` Steve Grubb
[not found] ` <f8ea78be-9bbf-2967-7b12-ac93bb85b0bc-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-12-11 16:30 ` Eric Paris
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-11 15:10 ` Richard Guy Briggs
[not found] ` <7ebca85a-425c-2b95-9a5f-59d81707339e-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2017-12-09 18:28 ` Casey Schaufler
2017-12-11 15:10 ` Richard Guy Briggs
2017-10-13 13:43 ` Alan Cox
2017-10-13 13:43 ` Alan Cox
2017-10-13 13:43 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
2017-10-12 14:14 Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8760bkxn4y.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \
--cc=jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.