From: Richard Guy Briggs <rgb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Tycho Andersen <tycho@tycho.ws>,
"Serge E. Hallyn" <serge@hallyn.com>,
containers@lists.linux-foundation.org, linux-api@vger.kernel.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com,
simo@redhat.com, Eric Paris <eparis@parisplace.org>,
ebiederm@xmission.com, nhorman@tuxdriver.com
Subject: Re: [PATCH ghak90 V6 02/10] audit: add container id
Date: Mon, 8 Jul 2019 14:12:37 -0400 [thread overview]
Message-ID: <20190708181237.5poheliito7zpvmc@madcap2.tricolour.ca> (raw)
In-Reply-To: <CAHC9VhT5HPt9rCJoDutdvA3r1Y1GOHfpXe2eJ54atNC1=Vd8LA@mail.gmail.com>
On 2019-05-30 19:26, Paul Moore wrote:
> On Thu, May 30, 2019 at 5:29 PM Tycho Andersen <tycho@tycho.ws> wrote:
> > On Thu, May 30, 2019 at 03:29:32PM -0400, Paul Moore wrote:
> > >
> > > [REMINDER: It is an "*audit* container ID" and not a general
> > > "container ID" ;) Smiley aside, I'm not kidding about that part.]
> >
> > This sort of seems like a distinction without a difference; presumably
> > audit is going to want to differentiate between everything that people
> > in userspace call a container. So you'll have to support all this
> > insanity anyway, even if it's "not a container ID".
>
> That's not quite right. Audit doesn't care about what a container is,
> or is not, it also doesn't care if the "audit container ID" actually
> matches the ID used by the container engine in userspace and I think
> that is a very important line to draw. Audit is simply given a value
> which it calls the "audit container ID", it ensures that the value is
> inherited appropriately (e.g. children inherit their parent's audit
> container ID), and it uses the value in audit records to provide some
> additional context for log analysis. The distinction isn't limited to
> the value itself, but also to how it is used; it is an "audit
> container ID" and not a "container ID" because this value is
> exclusively for use by the audit subsystem. We are very intentionally
> not adding a generic container ID to the kernel. If the kernel does
> ever grow a general purpose container ID we will be one of the first
> ones in line to make use of it, but we are not going to be the ones to
> generically add containers to the kernel. Enough people already hate
> audit ;)
>
> > > I'm not interested in supporting/merging something that isn't useful;
> > > if this doesn't work for your use case then we need to figure out what
> > > would work. It sounds like nested containers are much more common in
> > > the lxc world, can you elaborate a bit more on this?
> > >
> > > As far as the possible solutions you mention above, I'm not sure I
> > > like the per-userns audit container IDs, I'd much rather just emit the
> > > necessary tracking information via the audit record stream and let the
> > > log analysis tools figure it out. However, the bigger question is how
> > > to limit (re)setting the audit container ID when you are in a non-init
> > > userns. For reasons already mentioned, using capable() is a non
> > > starter for everything but the initial userns, and using ns_capable()
> > > is equally poor as it essentially allows any userns the ability to
> > > munge it's audit container ID (obviously not good). It appears we
> > > need a different method for controlling access to the audit container
> > > ID.
> >
> > One option would be to make it a string, and have it be append only.
> > That should be safe with no checks.
> >
> > I know there was a long thread about what type to make this thing. I
> > think you could accomplish the append-only-ness with a u64 if you had
> > some rule about only allowing setting lower order bits than those that
> > are already set. With 4 bits for simplicity:
> >
> > 1100 # initial container id
> > 1100 -> 1011 # not allowed
> > 1100 -> 1101 # allowed, but now 1101 is set in stone since there are
> > # no lower order bits left
> >
> > There are probably fancier ways to do it if you actually understand
> > math :)
>
> ;)
>
> > Since userns nesting is limited to 32 levels (right now, IIRC), and
> > you have 64 bits, this might be reasonable. You could just teach
> > container engines to use the first say N bits for themselves, with a 1
> > bit for the barrier at the end.
>
> I like the creativity, but I worry that at some point these
> limitations are going to be raised (limits have a funny way of doing
> that over time) and we will be in trouble. I say "trouble" because I
> want to be able to quickly do an audit container ID comparison and
> we're going to pay a penalty for these larger values (we'll need this
> when we add multiple auditd support and the requisite record routing).
>
> Thinking about this makes me also realize we probably need to think a
> bit longer about audit container ID conflicts between orchestrators.
> Right now we just take the value that is given to us by the
> orchestrator, but if we want to allow multiple container orchestrators
> to work without some form of cooperation in userspace (I think we have
> to assume the orchestrators will not talk to each other) we likely
> need to have some way to block reuse of an audit container ID. We
> would either need to prevent the orchestrator from explicitly setting
> an audit container ID to a currently in use value, or instead generate
> the audit container ID in the kernel upon an event triggered by the
> orchestrator (e.g. a write to a /proc file). I suspect we should
> start looking at the idr code, I think we will need to make use of it.
To address this, I'd suggest that it is enforced to only allow the
setting of descendants and to maintain a master list of audit container
identifiers (with a hash table if necessary later) that includes the
container owner.
This also allows the orchestrator/engine to inject processes into
existing containers by checking that the audit container identifier is
only used again by the same owner.
I have working code for both.
> paul moore
> www.paul-moore.com
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2019-07-08 18:13 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 3:39 [PATCH ghak90 V6 00/10] audit: implement container identifier Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 01/10] audit: collect audit task parameters Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 02/10] audit: add container id Richard Guy Briggs
2019-05-29 14:57 ` Tycho Andersen
2019-05-29 15:29 ` Paul Moore
2019-05-29 15:34 ` Tycho Andersen
2019-05-29 16:03 ` Paul Moore
2019-05-29 22:28 ` Tycho Andersen
2019-05-29 22:39 ` Paul Moore
2019-05-30 17:09 ` Serge E. Hallyn
2019-05-30 19:29 ` Paul Moore
2019-05-30 21:29 ` Tycho Andersen
2019-05-30 23:26 ` Paul Moore
2019-05-31 0:20 ` Richard Guy Briggs
2019-05-31 12:44 ` Paul Moore
2019-06-03 20:24 ` Steve Grubb
2019-06-18 22:12 ` Paul Moore
2019-06-18 22:46 ` Richard Guy Briggs
2019-07-08 18:12 ` Richard Guy Briggs [this message]
2019-07-08 20:43 ` Paul Moore
2019-07-15 21:09 ` Paul Moore
2019-07-16 15:37 ` Richard Guy Briggs
2019-07-16 16:08 ` Paul Moore
2019-07-16 16:26 ` Richard Guy Briggs
2019-07-08 18:05 ` Richard Guy Briggs
2019-07-15 21:04 ` Paul Moore
2019-07-16 22:03 ` Richard Guy Briggs
2019-07-16 23:30 ` Paul Moore
2019-07-18 0:51 ` Richard Guy Briggs
2019-07-18 21:52 ` Paul Moore
2019-07-19 16:00 ` Eric W. Biederman
2019-07-20 2:19 ` James Bottomley
2019-07-19 15:32 ` Eric W. Biederman
2019-07-08 17:51 ` Richard Guy Briggs
2019-07-15 20:38 ` Paul Moore
2019-07-16 19:38 ` Richard Guy Briggs
2019-07-16 21:39 ` Paul Moore
2019-07-19 16:07 ` Eric W. Biederman
2019-04-09 3:39 ` [PATCH ghak90 V6 03/10] audit: read container ID of a process Richard Guy Briggs
2019-07-19 16:03 ` Eric W. Biederman
2019-07-19 17:05 ` Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 04/10] audit: log container info of syscalls Richard Guy Briggs
2019-05-29 22:15 ` Paul Moore
2019-05-30 13:08 ` Ondrej Mosnacek
2019-05-30 14:08 ` Richard Guy Briggs
2019-05-30 14:34 ` Paul Moore
2019-04-09 3:39 ` [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon Richard Guy Briggs
2019-04-09 12:57 ` Ondrej Mosnacek
2019-04-09 13:40 ` Paul Moore
2019-04-09 13:48 ` Neil Horman
2019-04-09 14:00 ` Ondrej Mosnacek
2019-04-09 14:07 ` Paul Moore
2019-04-09 13:53 ` Richard Guy Briggs
2019-04-09 14:08 ` Paul Moore
2019-04-09 13:46 ` Neil Horman
2019-04-09 3:39 ` [PATCH ghak90 V6 06/10] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 07/10] audit: add containerid support for user records Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 08/10] audit: add containerid filtering Richard Guy Briggs
2019-05-29 22:16 ` Paul Moore
2019-05-30 14:19 ` Richard Guy Briggs
2019-05-30 14:34 ` Paul Moore
2019-05-30 20:37 ` Richard Guy Briggs
2019-05-30 20:45 ` Paul Moore
2019-05-30 21:10 ` Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces Richard Guy Briggs
2019-05-29 22:17 ` Paul Moore
2019-05-30 14:15 ` Richard Guy Briggs
2019-05-30 14:32 ` Paul Moore
2019-04-09 3:39 ` [PATCH ghak90 V6 10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs
2019-04-11 11:31 ` [PATCH ghak90 V6 00/10] audit: implement container identifier Richard Guy Briggs
2019-04-22 11:38 ` Neil Horman
2019-04-22 13:49 ` Paul Moore
2019-04-23 10:28 ` Neil Horman
2019-05-28 21:53 ` Daniel Walsh
2019-05-28 22:25 ` Richard Guy Briggs
2019-05-28 22:26 ` Paul Moore
2019-05-28 23:00 ` Steve Grubb
2019-05-29 0:43 ` Richard Guy Briggs
2019-05-29 12:02 ` Daniel Walsh
2019-05-29 13:17 ` Paul Moore
2019-05-29 14:07 ` Daniel Walsh
2019-05-29 14:33 ` Paul Moore
2019-05-29 13:14 ` Paul Moore
2019-05-29 22:26 ` Paul Moore
2019-05-30 13:08 ` Steve Grubb
2019-05-30 13:35 ` Paul Moore
2019-05-30 14:08 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190708181237.5poheliito7zpvmc@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=simo@redhat.com \
--cc=tycho@tycho.ws \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).