From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752439AbcGLIzI (ORCPT <rfc822;w@1wt.eu>);
	Tue, 12 Jul 2016 04:55:08 -0400
Received: from mail-lf0-f65.google.com ([209.85.215.65]:34346 "EHLO
	mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751669AbcGLIzC (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 12 Jul 2016 04:55:02 -0400
Subject: Re: [PATCH] capabilities: audit capability use
To: "Eric W. Biederman" <ebiederm@xmission.com>
References: <1468235672-3745-1-git-send-email-toiwoton@gmail.com>
 <87vb0bbzyo.fsf@x220.int.ebiederm.org>
Cc: linux-kernel@vger.kernel.org, pmladek@suse.com, luto@kernel.org,
        serge@hallyn.com, keescook@chromium.org,
        Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
        Tejun Heo <tj@kernel.org>, Li Zefan <lizefan@huawei.com>,
        Johannes Weiner <hannes@cmpxchg.org>,
        "moderated list:AUDIT SUBSYSTEM" <linux-audit@redhat.com>,
        "open list:CONTROL GROUP (CGROUP)" <cgroups@vger.kernel.org>,
        "open list:CAPABILITIES" <linux-security-module@vger.kernel.org>
From: Topi Miettinen <toiwoton@gmail.com>
Openpgp: id=A0F2EB0D8452DA908BEC8E911CF9ADDBD610E936
Message-ID: <ab56ac20-1d56-714c-eb54-9a43db496526@gmail.com>
Date: Tue, 12 Jul 2016 08:54:41 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Icedove/45.1.0
MIME-Version: 1.0
In-Reply-To: <87vb0bbzyo.fsf@x220.int.ebiederm.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 07/11/16 21:57, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton@gmail.com> writes:
> 
>> There are many basic ways to control processes, including capabilities,
>> cgroups and resource limits. However, there are far fewer ways to find
>> out useful values for the limits, except blind trial and error.
>>
>> Currently, there is no way to know which capabilities are actually used.
>> Even the source code is only implicit, in-depth knowledge of each
>> capability must be used when analyzing a program to judge which
>> capabilities the program will exercise.
>>
>> Generate an audit message at system call exit, when capabilities are used.
>> This can then be used to configure capability sets for services by a
>> software developer, maintainer or system administrator.
>>
>> Test case demonstrating basic capability monitoring with the new
>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>> rdshell):
> 
> You totally miss the interactions with the user namespace so this won't
> give you the information you are aiming for.

Please correct me if this is not right:

There are two cases:
a) real capability use as seen outside the namespace
b) use of capabilities granted by the namespace
Both cases could be active independently.

For auditing purposes, we're  mostly interested in a) and log noise from
b) could be even seen a distraction.

For configuration purposes, both cases can be interesting, a) for the
configuration of  services and b) in case where the containerized
configuration is planned to be deployed outside. I'd still only log a).

The same logic should apply with cgroup namespaces.

-Topi

> 
> Eric
>