From: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: cgroups@vger.kernel.org,
Linux Containers <containers@lists.linux-foundation.org>,
Linux API <linux-api@vger.kernel.org>,
Linux Audit <linux-audit@redhat.com>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Linux Kernel <linux-kernel@vger.kernel.org>,
Linux Network Development <netdev@vger.kernel.org>,
Simo Sorce <simo@redhat.com>,
"Carlos O'Donell" <carlos@redhat.com>,
Aristeu Rozanski <arozansk@redhat.com>,
David Howells <dhowells@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Eric Paris <eparis@parisplace.org>,
jlayton@redhat.com, Andy Lutomirski <luto@kernel.org>,
mszeredi@redhat.com, Paul Moore <pmoore@redhat.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Steve Grubb <sgrubb@redhat.com>,
trondmy@primarydata.com, Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Fri, 13 Oct 2017 14:43:11 +0100 [thread overview]
Message-ID: <20171013144311.45856ba2@alans-desktop> (raw)
In-Reply-To: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca>
On Thu, 12 Oct 2017 10:14:00 -0400
Richard Guy Briggs <rgb@redhat.com> wrote:
> Containers are a userspace concept. The kernel knows nothing of them.
>
> The Linux audit system needs a way to be able to track the container
> provenance of events and actions. Audit needs the kernel's help to do
> this.
>
> Since the concept of a container is entirely a userspace concept, a
> registration from the userspace container orchestration system initiates
> this. This will define a point in time and a set of resources
> associated with a particular container with an audit container ID.
I don't think this has anything to do with containers directly. If i
read it right you need a subtree of stuff to be asigned a (possibly
irrevocable) magic identifier that you can use for other purposes.
Traditional Unix in the more 'secure' space had that decades ago in the
form of luid. At login time you did a setluid() and that set an
irrevocable tag onthe session which was (traditionally) the uid of the
login process so that audit and other related tools always knew how to
tie the process back to the login session.
That doesn't quite work as of itself (if you login you'd get luid set and
not be able to change it for the container), but it seems something
similarly trivial like a "setauditid(void)" would do the trick providing
the kernel picked the UUID randomly [otherwise I can copy another known
UUID to confuse or hide].
As you say a container is a userspace concept. So IMHO any audit
interface should be about auditing and what needs tracking, not about
containers. If the container management tool wants to set a suitable tag
then let it. If not then it doesn't.
Then it's a simple as checking CAP_AUDIT_WRITE to see if you are allowed
to setauditit(), generating a random uuid and a matching getauditid() to
copy it back.
Alan
prev parent reply other threads:[~2017-10-13 13:43 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-12 14:14 RFC(v2): Audit Kernel Container IDs Richard Guy Briggs
2017-10-12 15:45 ` Steve Grubb
2017-10-19 19:57 ` Richard Guy Briggs
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:15 ` Aleksa Sarai
2017-10-20 2:25 ` Steve Grubb
2017-10-12 16:33 ` Casey Schaufler
2017-10-17 0:33 ` Richard Guy Briggs
2017-10-17 1:10 ` Casey Schaufler
2017-10-19 0:05 ` Richard Guy Briggs
2017-10-19 13:32 ` Casey Schaufler
2017-10-19 15:51 ` Paul Moore
2017-10-17 1:42 ` Steve Grubb
2017-10-17 12:31 ` Simo Sorce
2017-10-17 14:59 ` Casey Schaufler
2017-10-17 15:28 ` Simo Sorce
2017-10-17 15:44 ` James Bottomley
2017-10-17 16:43 ` Casey Schaufler
2017-10-17 17:15 ` Steve Grubb
2017-10-17 17:57 ` James Bottomley
2017-10-18 0:23 ` Steve Grubb
2017-10-18 20:56 ` Paul Moore
2017-10-18 23:46 ` Aleksa Sarai
2017-10-19 0:43 ` Eric W. Biederman
2017-10-19 15:36 ` Paul Moore
2017-10-19 16:25 ` Eric W. Biederman
2017-10-19 17:47 ` Paul Moore
2017-10-17 16:10 ` Casey Schaufler
2017-10-18 19:58 ` Paul Moore
2017-12-09 10:20 ` Mickaël Salaün
2017-12-09 18:28 ` Casey Schaufler
2017-12-11 16:30 ` Eric Paris
2017-12-11 16:52 ` Casey Schaufler
2017-12-11 19:37 ` Steve Grubb
2017-12-11 15:10 ` Richard Guy Briggs
2017-10-12 17:59 ` Eric W. Biederman
2017-10-13 13:43 ` Alan Cox [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171013144311.45856ba2@alans-desktop \
--to=gnomes@lxorguk.ukuu.org.uk \
--cc=arozansk@redhat.com \
--cc=carlos@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jlayton@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mszeredi@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=simo@redhat.com \
--cc=trondmy@primarydata.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).