From: Casey Schaufler <casey@schaufler-ca.com>
To: "Mickaël Salaün" <mic@digikod.net>,
"Richard Guy Briggs" <rgb@redhat.com>,
cgroups@vger.kernel.org,
"Linux Containers" <containers@lists.linux-foundation.org>,
"Linux API" <linux-api@vger.kernel.org>,
"Linux Audit" <linux-audit@redhat.com>,
"Linux FS Devel" <linux-fsdevel@vger.kernel.org>,
"Linux Kernel" <linux-kernel@vger.kernel.org>,
"Linux Network Development" <netdev@vger.kernel.org>
Cc: mszeredi@redhat.com, "Eric W. Biederman" <ebiederm@xmission.com>,
Simo Sorce <simo@redhat.com>,
jlayton@redhat.com, Carlos O'Donell <carlos@redhat.com>,
David Howells <dhowells@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>,
Eric Paris <eparis@parisplace.org>,
trondmy@primarydata.com, Michael Kerrisk <mtk.manpages@gmail.com>
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Sat, 9 Dec 2017 10:28:08 -0800 [thread overview]
Message-ID: <f8ea78be-9bbf-2967-7b12-ac93bb85b0bc@schaufler-ca.com> (raw)
In-Reply-To: <7ebca85a-425c-2b95-9a5f-59d81707339e@digikod.net>
On 12/9/2017 2:20 AM, Micka�l Sala�n wrote:
> On 12/10/2017 18:33, Casey Schaufler wrote:
>> On 10/12/2017 7:14 AM, Richard Guy Briggs wrote:
>>> Containers are a userspace concept. The kernel knows nothing of them.
>>>
>>> The Linux audit system needs a way to be able to track the container
>>> provenance of events and actions. Audit needs the kernel's help to do
>>> this.
>>>
>>> Since the concept of a container is entirely a userspace concept, a
>>> registration from the userspace container orchestration system initiates
>>> this. This will define a point in time and a set of resources
>>> associated with a particular container with an audit container ID.
>>>
>>> The registration is a pseudo filesystem (proc, since PID tree already
>>> exists) write of a u8[16] UUID representing the container ID to a file
>>> representing a process that will become the first process in a new
>>> container. This write might place restrictions on mount namespaces
>>> required to define a container, or at least careful checking of
>>> namespaces in the kernel to verify permissions of the orchestrator so it
>>> can't change its own container ID. A bind mount of nsfs may be
>>> necessary in the container orchestrator's mntNS.
>>> Note: Use a 128-bit scalar rather than a string to make compares faster
>>> and simpler.
>>>
>>> Require a new CAP_CONTAINER_ADMIN to be able to carry out the
>>> registration.
>> Hang on. If containers are a user space concept, how can
>> you want CAP_CONTAINER_ANYTHING? If there's not such thing as
>> a container, how can you be asking for a capability to manage
>> them?
>>
>>> At that time, record the target container's user-supplied
>>> container identifier along with the target container's first process
>>> (which may become the target container's "init" process) process ID
>>> (referenced from the initial PID namespace), all namespace IDs (in the
>>> form of a nsfs device number and inode number tuple) in a new auxilliary
>>> record AUDIT_CONTAINER with a qualifying op=$action field.
> Here is an idea to avoid privilege problems or the need for a new
> capability: make it automatic. What makes a container a container seems
> to be the use of at least a namespace.
You might think so, but I am assured that you can have a container
without using namespaces. Intel's "Clear Containers", which use
virtualization technology, are one example. I have considered creating
"Smack Containers" using mandatory access control technology, more
to press the point that "containers" is a marketing concept, not
technology.
> What about automatically create
> and assign an ID to a process when it enters a namespace different than
> one of its parent process? This delegates the (permission)
> responsibility to the use of namespaces (e.g. /proc/sys/user/max_* limit).
That gets ugly when you have a container that uses user, filesystem,
network and whatever else namespaces. If all containers used the same
set of namespaces I think this would be a fine idea, but they don't.
> One interesting side effect of this approach would be to be able to
> identify which processes are in the same set of namespaces, even if not
> spawn from the container but entered after its creation (i.e. using
> setns), by creating container IDs as a (deterministic) checksum from the
> /proc/self/ns/* IDs.
>
> Since the concern is to identify a container, I think the ability to
> audit the switch from one container ID to another is enough. I don't
> think we need nested IDs.
Because a container doesn't have to use namespaces to be a container
you still need a mechanism for a process to declare that it is in fact
in a container, and to identify the container.
>
> As a side note, you may want to take a look at the Linux-VServer's XID.
>
> Regards,
> Micka�l
>
next prev parent reply other threads:[~2017-12-09 18:28 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-12 14:14 RFC(v2): Audit Kernel Container IDs Richard Guy Briggs
2017-10-12 15:45 ` Steve Grubb
2017-10-19 19:57 ` Richard Guy Briggs
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:15 ` Aleksa Sarai
2017-10-20 2:25 ` Steve Grubb
2017-10-12 16:33 ` Casey Schaufler
2017-10-17 0:33 ` Richard Guy Briggs
2017-10-17 1:10 ` Casey Schaufler
2017-10-19 0:05 ` Richard Guy Briggs
2017-10-19 13:32 ` Casey Schaufler
2017-10-19 15:51 ` Paul Moore
2017-10-17 1:42 ` Steve Grubb
2017-10-17 12:31 ` Simo Sorce
2017-10-17 14:59 ` Casey Schaufler
2017-10-17 15:28 ` Simo Sorce
2017-10-17 15:44 ` James Bottomley
2017-10-17 16:43 ` Casey Schaufler
2017-10-17 17:15 ` Steve Grubb
2017-10-17 17:57 ` James Bottomley
2017-10-18 0:23 ` Steve Grubb
2017-10-18 20:56 ` Paul Moore
2017-10-18 23:46 ` Aleksa Sarai
2017-10-19 0:43 ` Eric W. Biederman
2017-10-19 15:36 ` Paul Moore
2017-10-19 16:25 ` Eric W. Biederman
2017-10-19 17:47 ` Paul Moore
2017-10-17 16:10 ` Casey Schaufler
2017-10-18 19:58 ` Paul Moore
2017-12-09 10:20 ` Mickaël Salaün
2017-12-09 18:28 ` Casey Schaufler [this message]
2017-12-11 16:30 ` Eric Paris
2017-12-11 16:52 ` Casey Schaufler
2017-12-11 19:37 ` Steve Grubb
2017-12-11 15:10 ` Richard Guy Briggs
2017-10-12 17:59 ` Eric W. Biederman
2017-10-13 13:43 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f8ea78be-9bbf-2967-7b12-ac93bb85b0bc@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=carlos@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=jlayton@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mic@digikod.net \
--cc=mszeredi@redhat.com \
--cc=mtk.manpages@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=simo@redhat.com \
--cc=trondmy@primarydata.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).