From: Paul Moore <paul@paul-moore.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Tycho Andersen <tycho@tycho.ws>,
"Serge E. Hallyn" <serge@hallyn.com>,
<containers@lists.linux-foundation.org>,
<linux-api@vger.kernel.org>,
"Linux-Audit Mailing List" <linux-audit@redhat.com>,
<linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>, <sgrubb@redhat.com>,
<omosnace@redhat.com>, <dhowells@redhat.com>, <simo@redhat.com>,
Eric Paris <eparis@parisplace.org>, <ebiederm@xmission.com>,
<nhorman@tuxdriver.com>
Subject: Re: [PATCH ghak90 V6 02/10] audit: add container id
Date: Mon, 08 Jul 2019 22:43:23 +0200 [thread overview]
Message-ID: <16bd353a5f8.280e.85c95baa4474aabc7814e68940a78392@paul-moore.com> (raw)
In-Reply-To: <20190708181237.5poheliito7zpvmc@madcap2.tricolour.ca>
On July 8, 2019 8:12:56 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2019-05-30 19:26, Paul Moore wrote:
>> On Thu, May 30, 2019 at 5:29 PM Tycho Andersen <tycho@tycho.ws> wrote:
>>> On Thu, May 30, 2019 at 03:29:32PM -0400, Paul Moore wrote:
>>>>
>>>>
>>>> [REMINDER: It is an "*audit* container ID" and not a general
>>>> "container ID" ;) Smiley aside, I'm not kidding about that part.]
>>>
>>> This sort of seems like a distinction without a difference; presumably
>>> audit is going to want to differentiate between everything that people
>>> in userspace call a container. So you'll have to support all this
>>> insanity anyway, even if it's "not a container ID".
>>
>> That's not quite right. Audit doesn't care about what a container is,
>> or is not, it also doesn't care if the "audit container ID" actually
>> matches the ID used by the container engine in userspace and I think
>> that is a very important line to draw. Audit is simply given a value
>> which it calls the "audit container ID", it ensures that the value is
>> inherited appropriately (e.g. children inherit their parent's audit
>> container ID), and it uses the value in audit records to provide some
>> additional context for log analysis. The distinction isn't limited to
>> the value itself, but also to how it is used; it is an "audit
>> container ID" and not a "container ID" because this value is
>> exclusively for use by the audit subsystem. We are very intentionally
>> not adding a generic container ID to the kernel. If the kernel does
>> ever grow a general purpose container ID we will be one of the first
>> ones in line to make use of it, but we are not going to be the ones to
>> generically add containers to the kernel. Enough people already hate
>> audit ;)
>>
>>>> I'm not interested in supporting/merging something that isn't useful;
>>>> if this doesn't work for your use case then we need to figure out what
>>>> would work. It sounds like nested containers are much more common in
>>>> the lxc world, can you elaborate a bit more on this?
>>>>
>>>>
>>>> As far as the possible solutions you mention above, I'm not sure I
>>>> like the per-userns audit container IDs, I'd much rather just emit the
>>>> necessary tracking information via the audit record stream and let the
>>>> log analysis tools figure it out. However, the bigger question is how
>>>> to limit (re)setting the audit container ID when you are in a non-init
>>>> userns. For reasons already mentioned, using capable() is a non
>>>> starter for everything but the initial userns, and using ns_capable()
>>>> is equally poor as it essentially allows any userns the ability to
>>>> munge it's audit container ID (obviously not good). It appears we
>>>> need a different method for controlling access to the audit container
>>>> ID.
>>>
>>> One option would be to make it a string, and have it be append only.
>>> That should be safe with no checks.
>>>
>>> I know there was a long thread about what type to make this thing. I
>>> think you could accomplish the append-only-ness with a u64 if you had
>>> some rule about only allowing setting lower order bits than those that
>>> are already set. With 4 bits for simplicity:
>>>
>>> 1100 # initial container id
>>> 1100 -> 1011 # not allowed
>>> 1100 -> 1101 # allowed, but now 1101 is set in stone since there are
>>> # no lower order bits left
>>>
>>> There are probably fancier ways to do it if you actually understand
>>> math :)
>>
>> ;)
>>
>>> Since userns nesting is limited to 32 levels (right now, IIRC), and
>>> you have 64 bits, this might be reasonable. You could just teach
>>> container engines to use the first say N bits for themselves, with a 1
>>> bit for the barrier at the end.
>>
>> I like the creativity, but I worry that at some point these
>> limitations are going to be raised (limits have a funny way of doing
>> that over time) and we will be in trouble. I say "trouble" because I
>> want to be able to quickly do an audit container ID comparison and
>> we're going to pay a penalty for these larger values (we'll need this
>> when we add multiple auditd support and the requisite record routing).
>>
>> Thinking about this makes me also realize we probably need to think a
>> bit longer about audit container ID conflicts between orchestrators.
>> Right now we just take the value that is given to us by the
>> orchestrator, but if we want to allow multiple container orchestrators
>> to work without some form of cooperation in userspace (I think we have
>> to assume the orchestrators will not talk to each other) we likely
>> need to have some way to block reuse of an audit container ID. We
>> would either need to prevent the orchestrator from explicitly setting
>> an audit container ID to a currently in use value, or instead generate
>> the audit container ID in the kernel upon an event triggered by the
>> orchestrator (e.g. a write to a /proc file). I suspect we should
>> start looking at the idr code, I think we will need to make use of it.
>
> To address this, I'd suggest that it is enforced to only allow the
> setting of descendants and to maintain a master list of audit container
> identifiers (with a hash table if necessary later) that includes the
> container owner.
>
> This also allows the orchestrator/engine to inject processes into
> existing containers by checking that the audit container identifier is
> only used again by the same owner.
>
> I have working code for both.
Just a quick note that due to some holiday travel I'm not going to be able to adequately respond to your latest messages on this thread for at least another week, likely a bit more. I'm only checking mail to put out fires, and the audit container ID work tends to be something that starts them ;)
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2019-07-08 20:43 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 3:39 [PATCH ghak90 V6 00/10] audit: implement container identifier Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 01/10] audit: collect audit task parameters Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 02/10] audit: add container id Richard Guy Briggs
2019-05-29 14:57 ` Tycho Andersen
2019-05-29 15:29 ` Paul Moore
2019-05-29 15:34 ` Tycho Andersen
2019-05-29 16:03 ` Paul Moore
2019-05-29 22:28 ` Tycho Andersen
2019-05-29 22:39 ` Paul Moore
2019-05-30 17:09 ` Serge E. Hallyn
2019-05-30 19:29 ` Paul Moore
2019-05-30 21:29 ` Tycho Andersen
2019-05-30 23:26 ` Paul Moore
2019-05-31 0:20 ` Richard Guy Briggs
2019-05-31 12:44 ` Paul Moore
2019-06-03 20:24 ` Steve Grubb
2019-06-18 22:12 ` Paul Moore
2019-06-18 22:46 ` Richard Guy Briggs
2019-07-08 18:12 ` Richard Guy Briggs
2019-07-08 20:43 ` Paul Moore [this message]
2019-07-15 21:09 ` Paul Moore
2019-07-16 15:37 ` Richard Guy Briggs
2019-07-16 16:08 ` Paul Moore
2019-07-16 16:26 ` Richard Guy Briggs
2019-07-08 18:05 ` Richard Guy Briggs
2019-07-15 21:04 ` Paul Moore
2019-07-16 22:03 ` Richard Guy Briggs
2019-07-16 23:30 ` Paul Moore
2019-07-18 0:51 ` Richard Guy Briggs
2019-07-18 21:52 ` Paul Moore
2019-07-19 16:00 ` Eric W. Biederman
2019-07-20 2:19 ` James Bottomley
2019-07-19 15:32 ` Eric W. Biederman
2019-07-08 17:51 ` Richard Guy Briggs
2019-07-15 20:38 ` Paul Moore
2019-07-16 19:38 ` Richard Guy Briggs
2019-07-16 21:39 ` Paul Moore
2019-07-19 16:07 ` Eric W. Biederman
2019-04-09 3:39 ` [PATCH ghak90 V6 03/10] audit: read container ID of a process Richard Guy Briggs
2019-07-19 16:03 ` Eric W. Biederman
2019-07-19 17:05 ` Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 04/10] audit: log container info of syscalls Richard Guy Briggs
2019-05-29 22:15 ` Paul Moore
2019-05-30 13:08 ` Ondrej Mosnacek
2019-05-30 14:08 ` Richard Guy Briggs
2019-05-30 14:34 ` Paul Moore
2019-04-09 3:39 ` [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon Richard Guy Briggs
2019-04-09 12:57 ` Ondrej Mosnacek
2019-04-09 13:40 ` Paul Moore
2019-04-09 13:48 ` Neil Horman
2019-04-09 14:00 ` Ondrej Mosnacek
2019-04-09 14:07 ` Paul Moore
2019-04-09 13:53 ` Richard Guy Briggs
2019-04-09 14:08 ` Paul Moore
2019-04-09 13:46 ` Neil Horman
2019-04-09 3:39 ` [PATCH ghak90 V6 06/10] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 07/10] audit: add containerid support for user records Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 08/10] audit: add containerid filtering Richard Guy Briggs
2019-05-29 22:16 ` Paul Moore
2019-05-30 14:19 ` Richard Guy Briggs
2019-05-30 14:34 ` Paul Moore
2019-05-30 20:37 ` Richard Guy Briggs
2019-05-30 20:45 ` Paul Moore
2019-05-30 21:10 ` Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces Richard Guy Briggs
2019-05-29 22:17 ` Paul Moore
2019-05-30 14:15 ` Richard Guy Briggs
2019-05-30 14:32 ` Paul Moore
2019-04-09 3:39 ` [PATCH ghak90 V6 10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs
2019-04-11 11:31 ` [PATCH ghak90 V6 00/10] audit: implement container identifier Richard Guy Briggs
2019-04-22 11:38 ` Neil Horman
2019-04-22 13:49 ` Paul Moore
2019-04-23 10:28 ` Neil Horman
2019-05-28 21:53 ` Daniel Walsh
2019-05-28 22:25 ` Richard Guy Briggs
2019-05-28 22:26 ` Paul Moore
2019-05-28 23:00 ` Steve Grubb
2019-05-29 0:43 ` Richard Guy Briggs
2019-05-29 12:02 ` Daniel Walsh
2019-05-29 13:17 ` Paul Moore
2019-05-29 14:07 ` Daniel Walsh
2019-05-29 14:33 ` Paul Moore
2019-05-29 13:14 ` Paul Moore
2019-05-29 22:26 ` Paul Moore
2019-05-30 13:08 ` Steve Grubb
2019-05-30 13:35 ` Paul Moore
2019-05-30 14:08 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16bd353a5f8.280e.85c95baa4474aabc7814e68940a78392@paul-moore.com \
--to=paul@paul-moore.com \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=omosnace@redhat.com \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=simo@redhat.com \
--cc=tycho@tycho.ws \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).