From: Simo Sorce <simo@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>,
mszeredi@redhat.com, "Eric W. Biederman" <ebiederm@xmission.com>,
jlayton@redhat.com, Carlos O'Donell <carlos@redhat.com>,
Linux API <linux-api@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Linux Kernel <linux-kernel@vger.kernel.org>,
Eric Paris <eparis@parisplace.org>,
David Howells <dhowells@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>,
Linux Network Development <netdev@vger.kernel.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
cgroups@vger.kernel.org, "Serge E. Hallyn" <serge@hallyn.com>,
trondmy@primarydata.com
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Tue, 17 Oct 2017 08:31:09 -0400 [thread overview]
Message-ID: <1508243469.6230.24.camel@redhat.com> (raw)
In-Reply-To: <2319693.5l3M4ZINGd@x2>
On Mon, 2017-10-16 at 21:42 -0400, Steve Grubb wrote:
> On Monday, October 16, 2017 8:33:40 PM EDT Richard Guy Briggs wrote:
> > There is such a thing, but the kernel doesn't know about it
> > yet. This same situation exists for loginuid and sessionid which
> > are userspace concepts that the kernel tracks for the convenience
> > of userspace. As for its name, I'm not particularly picky, so if
> > you don't like CAP_CONTAINER_* then I'm fine with
> > CAP_AUDIT_CONTAINERID. It really needs to be distinct from
> > CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL since we don't want to give
> > the ability to set a containerID to any process that is able to do
> > audit logging (such as vsftpd) and similarly we don't want to give
> > the orchestrator the ability to control the setup of the audit
> > daemon.
>
> A long time ago, we were debating what should guard against rouge
> processes from setting the loginuid. Casey argued that the ability to
> set the loginuid means they have the ability to control the audit
> trail. That means that it should be guarded by CAP_AUDIT_CONTROL. I
> think the same logic applies today.
The difference is that with loginuid you needed to give processes able
to audit also the ability to change it. You do not want to tie the
ability to change container ids to the ability to audit. You want to be
able to do audit stuff (within the container) without allowing it to
change the container id.
Of course if we made container id a write-once property maybe there is
no need for controls at all, but I'm pretty sure there will be
situations where write-once may not be usable in practice.
> The ability to arbitrarily set a container ID means the process has
> the ability to indirectly control the audit trail.
The container Id can be used also for authorization purposes (by other
processes on the host), not just audit, I think this is why a separate
control has been proposed.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
next prev parent reply other threads:[~2017-10-17 12:31 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-12 14:14 RFC(v2): Audit Kernel Container IDs Richard Guy Briggs
2017-10-12 15:45 ` Steve Grubb
2017-10-19 19:57 ` Richard Guy Briggs
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:15 ` Aleksa Sarai
2017-10-20 2:25 ` Steve Grubb
2017-10-12 16:33 ` Casey Schaufler
2017-10-17 0:33 ` Richard Guy Briggs
2017-10-17 1:10 ` Casey Schaufler
2017-10-19 0:05 ` Richard Guy Briggs
2017-10-19 13:32 ` Casey Schaufler
2017-10-19 15:51 ` Paul Moore
2017-10-17 1:42 ` Steve Grubb
2017-10-17 12:31 ` Simo Sorce [this message]
2017-10-17 14:59 ` Casey Schaufler
2017-10-17 15:28 ` Simo Sorce
2017-10-17 15:44 ` James Bottomley
2017-10-17 16:43 ` Casey Schaufler
2017-10-17 17:15 ` Steve Grubb
2017-10-17 17:57 ` James Bottomley
2017-10-18 0:23 ` Steve Grubb
2017-10-18 20:56 ` Paul Moore
2017-10-18 23:46 ` Aleksa Sarai
2017-10-19 0:43 ` Eric W. Biederman
2017-10-19 15:36 ` Paul Moore
2017-10-19 16:25 ` Eric W. Biederman
2017-10-19 17:47 ` Paul Moore
2017-10-17 16:10 ` Casey Schaufler
2017-10-18 19:58 ` Paul Moore
2017-12-09 10:20 ` Mickaël Salaün
2017-12-09 18:28 ` Casey Schaufler
2017-12-11 16:30 ` Eric Paris
2017-12-11 16:52 ` Casey Schaufler
2017-12-11 19:37 ` Steve Grubb
2017-12-11 15:10 ` Richard Guy Briggs
2017-10-12 17:59 ` Eric W. Biederman
2017-10-13 13:43 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1508243469.6230.24.camel@redhat.com \
--to=simo@redhat.com \
--cc=carlos@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=cgroups@vger.kernel.org \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jlayton@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mszeredi@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=trondmy@primarydata.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).