From: Topi Miettinen <toiwoton@gmail.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: linux-kernel@vger.kernel.org, pmladek@suse.com, luto@kernel.org,
serge@hallyn.com, keescook@chromium.org,
Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
Tejun Heo <tj@kernel.org>, Li Zefan <lizefan@huawei.com>,
Johannes Weiner <hannes@cmpxchg.org>,
"moderated list:AUDIT SUBSYSTEM" <linux-audit@redhat.com>,
"open list:CONTROL GROUP (CGROUP)" <cgroups@vger.kernel.org>,
"open list:CAPABILITIES" <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH] capabilities: audit capability use
Date: Wed, 13 Jul 2016 07:30:18 +0000 [thread overview]
Message-ID: <d882bf1d-e00d-3722-5695-12f257a15224@gmail.com> (raw)
In-Reply-To: <878tx79et8.fsf@x220.int.ebiederm.org>
On 07/12/16 13:16, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton@gmail.com> writes:
>
>> On 07/11/16 21:57, Eric W. Biederman wrote:
>>> Topi Miettinen <toiwoton@gmail.com> writes:
>>>
>>>> There are many basic ways to control processes, including capabilities,
>>>> cgroups and resource limits. However, there are far fewer ways to find
>>>> out useful values for the limits, except blind trial and error.
>>>>
>>>> Currently, there is no way to know which capabilities are actually used.
>>>> Even the source code is only implicit, in-depth knowledge of each
>>>> capability must be used when analyzing a program to judge which
>>>> capabilities the program will exercise.
>>>>
>>>> Generate an audit message at system call exit, when capabilities are used.
>>>> This can then be used to configure capability sets for services by a
>>>> software developer, maintainer or system administrator.
>>>>
>>>> Test case demonstrating basic capability monitoring with the new
>>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>>> rdshell):
>>>
>>> You totally miss the interactions with the user namespace so this won't
>>> give you the information you are aiming for.
>>
>> Please correct me if this is not right:
>>
>> There are two cases:
>> a) real capability use as seen outside the namespace
>> b) use of capabilities granted by the namespace
>> Both cases could be active independently.
>>
>> For auditing purposes, we're mostly interested in a) and log noise from
>> b) could be even seen a distraction.
>>
>> For configuration purposes, both cases can be interesting, a) for the
>> configuration of services and b) in case where the containerized
>> configuration is planned to be deployed outside. I'd still only log
>> a).
>>
>>
>> The same logic should apply with cgroup namespaces.
>
> Not logging capabilities outside of the initial user namespace is
> certainly the conservative place to start, and what selinux does.
>
> You should also be logging capability use from cap_capable. Not
But cap_capable is not called from apparmor aa_capable or selinux
selinux_capable, how about security_capable()?
> ns_capable. You are missing several kinds of capability use as
> a quick review of kernel/capability.c should have shown you.
Right, sorry about that.
-Topi
>
> Eric
>
next prev parent reply other threads:[~2016-07-13 7:31 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-11 11:14 [PATCH] capabilities: audit capability use Topi Miettinen
2016-07-11 15:25 ` Serge E. Hallyn
2016-07-11 16:05 ` Topi Miettinen
2016-07-11 19:28 ` Topi Miettinen
2016-07-11 17:09 ` Tejun Heo
2016-07-11 19:47 ` Topi Miettinen
2016-07-12 14:59 ` Tejun Heo
2016-07-13 6:52 ` Topi Miettinen
2016-07-11 21:57 ` Eric W. Biederman
2016-07-12 8:54 ` Topi Miettinen
2016-07-12 13:16 ` Eric W. Biederman
2016-07-12 22:00 ` Paul Moore
2016-07-13 7:30 ` Topi Miettinen [this message]
2016-07-12 21:56 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2016-07-03 15:08 [PATCH] capabilities: add capability cgroup controller Topi Miettinen
2016-07-03 16:13 ` [PATCH] capabilities: audit capability use kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d882bf1d-e00d-3722-5695-12f257a15224@gmail.com \
--to=toiwoton@gmail.com \
--cc=cgroups@vger.kernel.org \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=hannes@cmpxchg.org \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=luto@kernel.org \
--cc=paul@paul-moore.com \
--cc=pmladek@suse.com \
--cc=serge@hallyn.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).