From: ebiederm@xmission.com (Eric W. Biederman)
To: Steve Grubb <sgrubb@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, linux-audit@redhat.com,
eparis@parisplace.org, pmoore@redhat.com, arozansk@redhat.com,
serge@hallyn.com, zohar@linux.vnet.ibm.com,
viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org,
linux-api@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances
Date: Thu, 14 May 2015 10:42:38 -0500 [thread overview]
Message-ID: <87iobvnp1t.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <2918460.dpKocsKt4o@x2> (Steve Grubb's message of "Thu, 14 May 2015 10:57:14 -0400")
Steve Grubb <sgrubb@redhat.com> writes:
> On Tuesday, May 12, 2015 03:57:59 PM Richard Guy Briggs wrote:
>> On 15/05/05, Steve Grubb wrote:
>> > I think there needs to be some more discussion around this. It seems like
>> > this is not exactly recording things that are useful for audit.
>>
>> It seems to me that either audit has to assemble that information, or
>> the kernel has to do so. The kernel doesn't know about containers
>> (yet?).
>
> Auditing is something that has a lot of requirements imposed on it by security
> standards. There was no requirement to have an auid until audit came along and
> said that uid is not good enough to know who is issuing commands because of su
> or sudo. There was no requirement for sessionid until we had to track each
> action back to a login so we could see if the login came from the expected
> place.
Stop right there.
You want a global identifier in a realm where only relative identifiers
exist, and make sense.
I am sorry that isn't going to happen. EVER.
Square peg, round hole. It doesn't work, it doesn't make sense, and
most especially it doesn't allow anyone to reconstruct anything, because
it does not make sense and does not match what the kernel is doing.
Container IDs do not, and will not exist. There is probably something
reasonable in your request but until you stop talking that nonsense I
can't see it.
Global IDs take us into the namespace of namespaces problem and that
isn't going to happen. I have already bent as far in this direction as
I can go. Further namespace creation is not a privileged event which
makes the requestion for a container ID make even less sense. With
anyone able to create whatever they want it will not be a identifier
that makes any sense to someone reading an audit log.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Steve Grubb <sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org,
pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
arozansk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org,
zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances
Date: Thu, 14 May 2015 10:42:38 -0500 [thread overview]
Message-ID: <87iobvnp1t.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <2918460.dpKocsKt4o@x2> (Steve Grubb's message of "Thu, 14 May 2015 10:57:14 -0400")
Steve Grubb <sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> writes:
> On Tuesday, May 12, 2015 03:57:59 PM Richard Guy Briggs wrote:
>> On 15/05/05, Steve Grubb wrote:
>> > I think there needs to be some more discussion around this. It seems like
>> > this is not exactly recording things that are useful for audit.
>>
>> It seems to me that either audit has to assemble that information, or
>> the kernel has to do so. The kernel doesn't know about containers
>> (yet?).
>
> Auditing is something that has a lot of requirements imposed on it by security
> standards. There was no requirement to have an auid until audit came along and
> said that uid is not good enough to know who is issuing commands because of su
> or sudo. There was no requirement for sessionid until we had to track each
> action back to a login so we could see if the login came from the expected
> place.
Stop right there.
You want a global identifier in a realm where only relative identifiers
exist, and make sense.
I am sorry that isn't going to happen. EVER.
Square peg, round hole. It doesn't work, it doesn't make sense, and
most especially it doesn't allow anyone to reconstruct anything, because
it does not make sense and does not match what the kernel is doing.
Container IDs do not, and will not exist. There is probably something
reasonable in your request but until you stop talking that nonsense I
can't see it.
Global IDs take us into the namespace of namespaces problem and that
isn't going to happen. I have already bent as far in this direction as
I can go. Further namespace creation is not a privileged event which
makes the requestion for a container ID make even less sense. With
anyone able to create whatever they want it will not be a identifier
that makes any sense to someone reading an audit log.
Eric
next prev parent reply other threads:[~2015-05-14 15:47 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-17 7:35 [PATCH V6 00/10] namespaces: log namespaces per task Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 08/10] fork: audit on creation of new namespace(s) Richard Guy Briggs
[not found] ` <cover.1429252659.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-04-17 7:35 ` [PATCH V6 01/10] namespaces: expose ns_entries Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 02/10] proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 03/10] audit: log namespace ID numbers Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 04/10] audit: initialize at subsystem time rather than device time Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 05/10] audit: log creation and deletion of namespace instances Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
[not found] ` <11270b0b1afd0a25b108915673e1e1b38dfeeafa.1429252659.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-05-05 14:22 ` Steve Grubb
2015-05-05 14:22 ` Steve Grubb
2015-05-05 14:31 ` Aristeu Rozanski
2015-05-05 14:31 ` Aristeu Rozanski
[not found] ` <20150505143119.GA4350-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-05-05 14:46 ` Steve Grubb
2015-05-05 14:46 ` Steve Grubb
2015-05-05 14:56 ` Eric W. Biederman
2015-05-05 14:56 ` Eric W. Biederman
[not found] ` <87pp6fhy4c.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-05 15:16 ` Steve Grubb
2015-05-05 15:16 ` Steve Grubb
2015-05-12 19:57 ` Richard Guy Briggs
2015-05-12 19:57 ` Richard Guy Briggs
[not found] ` <20150512195759.GA9832-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-05-14 14:57 ` Steve Grubb
2015-05-14 14:57 ` Steve Grubb
2015-05-14 14:57 ` Steve Grubb
2015-05-14 15:12 ` LC Bruzenak
2015-05-14 15:42 ` Eric W. Biederman [this message]
2015-05-14 15:42 ` Eric W. Biederman
[not found] ` <87iobvnp1t.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-14 16:21 ` Steve Grubb
2015-05-14 16:21 ` Steve Grubb
2015-05-14 16:36 ` LC Bruzenak
2015-05-15 2:03 ` Richard Guy Briggs
2015-05-15 2:03 ` Richard Guy Briggs
2015-05-15 2:03 ` Richard Guy Briggs
2015-05-14 15:42 ` Eric W. Biederman
2015-05-14 19:19 ` Paul Moore
2015-05-15 1:31 ` Eric W. Biederman
2015-05-15 1:31 ` Eric W. Biederman
2015-05-15 1:31 ` Eric W. Biederman
[not found] ` <87bnhmbp8e.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-15 2:25 ` Richard Guy Briggs
2015-05-15 13:17 ` Steve Grubb
2015-05-15 21:01 ` Paul Moore
2015-05-15 2:25 ` Richard Guy Briggs
2015-05-15 13:17 ` Steve Grubb
2015-05-15 13:17 ` Steve Grubb
2015-05-15 14:51 ` Eric W. Biederman
2015-05-15 14:51 ` Eric W. Biederman
2015-05-15 21:01 ` Paul Moore
2015-05-15 2:32 ` Richard Guy Briggs
[not found] ` <20150515023221.GC965-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-05-15 6:23 ` Andy Lutomirski
2015-05-15 6:23 ` Andy Lutomirski
2015-05-15 6:23 ` Andy Lutomirski
[not found] ` <CALCETrWzM4+Vs8OVJWBcWJfbR_DRSb+e7SmUyy6CS4sHQaTkRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-15 12:38 ` Steve Grubb
2015-05-15 12:38 ` Steve Grubb
2015-05-15 13:17 ` Andy Lutomirski
2015-05-15 13:17 ` Andy Lutomirski
2015-05-15 21:05 ` Paul Moore
2015-05-15 21:05 ` Paul Moore
2015-05-16 9:46 ` Daniel J Walsh
2015-05-16 9:46 ` Daniel J Walsh
2015-05-16 12:16 ` Paul Moore
2015-05-16 14:46 ` Eric W. Biederman
2015-05-16 14:46 ` Eric W. Biederman
2015-05-16 14:46 ` Eric W. Biederman
[not found] ` <87r3qgpol6.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-16 22:49 ` Paul Moore
2015-05-16 22:49 ` Paul Moore
2015-05-16 22:49 ` Paul Moore
2015-05-19 13:09 ` Richard Guy Briggs
[not found] ` <20150519130911.GB20131-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-05-19 14:27 ` Paul Moore
2015-05-19 14:27 ` Paul Moore
[not found] ` <CAHC9VhQs6pxFC3dvZic5XzuJr1xdJZyPjXdBoipwY3OOkng0ng-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-19 13:09 ` Richard Guy Briggs
[not found] ` <CAHC9VhRKSK9=9qPF3dgALS=x1g3LinNeQvuhNV5TvQ=D7Szuag-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-16 14:46 ` Eric W. Biederman
[not found] ` <555711FA.50703-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-05-16 12:16 ` Paul Moore
2015-05-15 2:32 ` Richard Guy Briggs
2015-05-14 19:19 ` Paul Moore
2015-05-15 0:48 ` Richard Guy Briggs
2015-05-15 0:48 ` Richard Guy Briggs
2015-05-15 0:48 ` Richard Guy Briggs
2015-05-15 20:26 ` Paul Moore
[not found] ` <20150515004855.GB10526-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-05-15 1:10 ` Oren Laadan
2015-05-15 2:11 ` Richard Guy Briggs
2015-05-15 2:11 ` Richard Guy Briggs
[not found] ` <20150515021126.GA965-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-05-15 13:19 ` Daniel J Walsh
2015-05-15 13:19 ` Daniel J Walsh
[not found] ` <CAA4jN2bgynVTwF+owtXgq06JMLQJpy_qokpD0mAguNYeDxmh1A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-15 2:11 ` Richard Guy Briggs
2015-05-15 20:42 ` Paul Moore
2015-05-15 20:42 ` Paul Moore
2015-05-15 20:42 ` Paul Moore
2015-05-15 20:26 ` Paul Moore
2015-05-12 19:57 ` Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 06/10] audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 07/10] sched: add a macro to ref all CLONE_NEW* flags Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
[not found] ` <cf1ed24f71743ea7f85682f26f3185202a1f8a32.1429252659.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-04-17 8:18 ` Peter Zijlstra
2015-04-17 8:18 ` Peter Zijlstra
[not found] ` <20150417081843.GE23123-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2015-04-17 15:42 ` Richard Guy Briggs
2015-04-17 15:42 ` Richard Guy Briggs
[not found] ` <20150417154250.GA26233-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-04-17 17:41 ` Peter Zijlstra
2015-04-17 17:41 ` Peter Zijlstra
[not found] ` <20150417174131.GL23123-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2015-04-17 22:00 ` Richard Guy Briggs
2015-04-17 22:00 ` Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 08/10] fork: audit on creation of new namespace(s) Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 09/10] audit: log on switching namespace (setns) Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
2015-04-17 7:35 ` [PATCH V6 10/10] audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record Richard Guy Briggs
2015-04-17 7:35 ` Richard Guy Briggs
2015-04-21 4:33 ` [PATCH V6 00/10] namespaces: log namespaces per task Eric W. Biederman
2015-04-21 4:33 ` Eric W. Biederman
[not found] ` <87vbgqw163.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-04-23 3:07 ` Richard Guy Briggs
2015-04-23 3:07 ` Richard Guy Briggs
2015-04-23 20:44 ` Richard Guy Briggs
[not found] ` <20150423204429.GA25794-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-04-24 19:36 ` Eric W. Biederman
2015-04-24 19:36 ` Eric W. Biederman
[not found] ` <87bnid9v4f.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-04-28 2:05 ` Richard Guy Briggs
2015-04-28 2:05 ` Richard Guy Briggs
[not found] ` <20150428020555.GB20713-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-04-28 2:16 ` Eric W. Biederman
2015-04-28 2:16 ` Eric W. Biederman
2015-05-08 14:42 ` Richard Guy Briggs
[not found] ` <87zj5tgfpb.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-08 14:42 ` Richard Guy Briggs
[not found] ` <20150423030751.GA6712-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-04-23 20:44 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87iobvnp1t.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=arozansk@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=eparis@parisplace.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.