From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 162D5C35247 for ; Wed, 5 Feb 2020 22:57:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DE30920730 for ; Wed, 5 Feb 2020 22:57:03 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="Rr3Zuwxj" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727822AbgBEW5D (ORCPT ); Wed, 5 Feb 2020 17:57:03 -0500 Received: from mail-ed1-f66.google.com ([209.85.208.66]:37913 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727798AbgBEW5C (ORCPT ); Wed, 5 Feb 2020 17:57:02 -0500 Received: by mail-ed1-f66.google.com with SMTP id p23so3870764edr.5 for ; Wed, 05 Feb 2020 14:56:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Amzhmy9xv9aiOonSPr+eThtNwsfLtl5zGLSppwlbgNs=; b=Rr3ZuwxjBG88ry1cXtNHdnsHK7RNLh2i2hW7ZcjXrXXVz1dH4kyMtKdSaBC1CgHQur rCvuy3O+y+wkmSkopUyOF1OMDhD5Hx2sYMQ0meeghuuW5a+Zn08zQjCRISQh9rPkNdLI 59Z8ME76zI91V5UP7hugC1xMeu73AOuDGvfa7wKGNTbTsSdGgEMMiHozgfut4YcVzURe G2c9J84y+lzCAe08WlYOCgBuodxP7gxMj+eT09LfB5r+cyv9tJ1KYWxRm+MN59LjZBco Q6x5NKczijf5H13m8eUXysrheth2N8SEecoHY/HTzEDU+eOsPj0dHABPnKvVDueKZ0ND s2Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Amzhmy9xv9aiOonSPr+eThtNwsfLtl5zGLSppwlbgNs=; b=BDEi8bI76MgH7DoX6DEHAgOU+9NqcXm659x4s2epLMtC04v4uGujJDuvZq6dN7a87B LkYxMKGfLo88gVNmq1FryeLjohMxDugRXSwlqdmt1RjnM87odjnLlCPjYUvy7plBsn+h A/6+v68KeZCm3qXR8AzHRAhE/O5sbDkUBBQSp5kH7g/xHvjAm5HvUpCTxOqb5AxQYMq7 kWXLwuvTEfD+XYTaR9imHSrgnY7/zdUdfC/MtLxBLTCNvQbF2Vn60Unw8u1A+G1tCx/j pwsPBTiW/2CwWoQXi0qhgkQla4Lc6dzYQy6pGn0yXEesTtgGHPirOaX6KujbMkz46yuH Er8w== X-Gm-Message-State: APjAAAW2Aj62/5Y9jaJXzlF93c9ycSgJgQApmZxPnJ37fKdAXABz0AwV z3RbQt4ejuxMSC0ZE0dVaoz8HUvEPwS/wWHRc8/R X-Google-Smtp-Source: APXvYqyinVfnH51DI0L2SrSFONQ5jPWbqu4SEEJkGSvze4nkV8Nj8TjI5cDCggcgijMU0lqRKjn1C1Mv8js0mEJYleE= X-Received: by 2002:a17:906:19d0:: with SMTP id h16mr350075ejd.70.1580943419104; Wed, 05 Feb 2020 14:56:59 -0800 (PST) MIME-Version: 1.0 References: <5941671b6b6b5de28ab2cc80e72f288cf83291d5.1577736799.git.rgb@redhat.com> <20200205003930.2efpm4tvrisgmj4t@madcap2.tricolour.ca> In-Reply-To: <20200205003930.2efpm4tvrisgmj4t@madcap2.tricolour.ca> From: Paul Moore Date: Wed, 5 Feb 2020 17:56:48 -0500 Message-ID: Subject: Re: [PATCH ghak90 V8 16/16] audit: add capcontid to set contid outside init_user_ns To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 4, 2020 at 7:39 PM Richard Guy Briggs wrote: > On 2020-01-22 16:29, Paul Moore wrote: > > On Tue, Dec 31, 2019 at 2:51 PM Richard Guy Briggs wrote: > > > > > > Provide a mechanism similar to CAP_AUDIT_CONTROL to explicitly give a > > > process in a non-init user namespace the capability to set audit > > > container identifiers. > > > > > > Provide /proc/$PID/audit_capcontid interface to capcontid. > > > Valid values are: 1==enabled, 0==disabled > > > > It would be good to be more explicit about "enabled" and "disabled" in > > the commit description. For example, which setting allows the target > > task to set audit container IDs of it's children processes? > > Ok... > > > > Report this action in message type AUDIT_SET_CAPCONTID 1022 with fields > > > opid= capcontid= old-capcontid= > > > > > > Signed-off-by: Richard Guy Briggs > > > --- > > > fs/proc/base.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++ > > > include/linux/audit.h | 14 ++++++++++++ > > > include/uapi/linux/audit.h | 1 + > > > kernel/audit.c | 35 +++++++++++++++++++++++++++++ > > > 4 files changed, 105 insertions(+) ... > > > diff --git a/kernel/audit.c b/kernel/audit.c > > > index 1287f0b63757..1c22dd084ae8 100644 > > > --- a/kernel/audit.c > > > +++ b/kernel/audit.c > > > @@ -2698,6 +2698,41 @@ static bool audit_contid_isowner(struct task_struct *tsk) > > > return false; > > > } > > > > > > +int audit_set_capcontid(struct task_struct *task, u32 enable) > > > +{ > > > + u32 oldcapcontid; > > > + int rc = 0; > > > + struct audit_buffer *ab; > > > + > > > + if (!task->audit) > > > + return -ENOPROTOOPT; > > > + oldcapcontid = audit_get_capcontid(task); > > > + /* if task is not descendant, block */ > > > + if (task == current) > > > + rc = -EBADSLT; > > > + else if (!task_is_descendant(current, task)) > > > + rc = -EXDEV; > > > > See my previous comments about error code sanity. > > I'll go with EXDEV. > > > > + else if (current_user_ns() == &init_user_ns) { > > > + if (!capable(CAP_AUDIT_CONTROL) && !audit_get_capcontid(current)) > > > + rc = -EPERM; > > > > I think we just want to use ns_capable() in the context of the current > > userns to check CAP_AUDIT_CONTROL, yes? Something like this ... > > I thought we had firmly established in previous discussion that > CAP_AUDIT_CONTROL in anything other than init_user_ns was completely irrelevant > and untrustable. In the case of a container with multiple users, and multiple applications, one being a nested orchestrator, it seems relevant to allow that container to control which of it's processes are able to exercise CAP_AUDIT_CONTROL. Granted, we still want to control it within the overall host, e.g. the container in question must be allowed to run a nested orchestrator, but allowing the container itself to provide it's own granularity seems like the right thing to do. > > if (current_user_ns() != &init_user_ns) { > > if (!ns_capable(CAP_AUDIT_CONTROL) || !audit_get_capcontid()) > > rc = -EPERM; > > } else if (!capable(CAP_AUDIT_CONTROL)) > > rc = -EPERM; > > -- paul moore www.paul-moore.com