From: Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Stefan Berger
<stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org,
luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Linux-Audit Mailing List
<linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org,
viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org
Subject: Re: [RFC PATCH V1 01/12] audit: add container id
Date: Wed, 18 Apr 2018 15:51:36 -0400 [thread overview]
Message-ID: <20180418195136.sbogbumlputhbvfx__34421.0511692383$1524081366$gmane$org@madcap2.tricolour.ca> (raw)
In-Reply-To: <c1ec93a2-b398-373c-55da-b2be8e60c6b6-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
On 2018-04-18 15:39, Stefan Berger wrote:
> On 04/18/2018 03:23 PM, Richard Guy Briggs wrote:
> > On 2018-04-18 14:45, Stefan Berger wrote:
> > > On 03/15/2018 11:58 PM, Richard Guy Briggs wrote:
> > > > On 2018-03-15 16:27, Stefan Berger wrote:
> > > > > On 03/01/2018 02:41 PM, Richard Guy Briggs wrote:
> > > > > > Implement the proc fs write to set the audit container ID of a process,
> > > > > > emitting an AUDIT_CONTAINER record to document the event.
> > > > > >
> > > > > > This is a write from the container orchestrator task to a proc entry of
> > > > > > the form /proc/PID/containerid where PID is the process ID of the newly
> > > > > > created task that is to become the first task in a container, or an
> > > > > > additional task added to a container.
> > > > > >
> > > > > > The write expects up to a u64 value (unset: 18446744073709551615).
> > > > > >
> > > > > > This will produce a record such as this:
> > > > > > type=UNKNOWN[1333] msg=audit(1519903238.968:261): op=set pid=596 uid=0 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 auid=0 tty=pts0 ses=1 opid=596 old-contid=18446744073709551615 contid=123455 res=0
> > > > > >
> > > > > > The "op" field indicates an initial set. The "pid" to "ses" fields are
> > > > > > the orchestrator while the "opid" field is the object's PID, the process
> > > > > > being "contained". Old and new container ID values are given in the
> > > > > > "contid" fields, while res indicates its success.
> > > > > >
> > > > > > It is not permitted to self-set, unset or re-set the container ID. A
> > > > > > child inherits its parent's container ID, but then can be set only once
> > > > > > after.
> > > > > >
> > > > > > See: https://github.com/linux-audit/audit-kernel/issues/32
> > > > > >
> > > > > >
> > > > > > /* audit_rule_data supports filter rules with both integer and string
> > > > > > * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
> > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > > > > index 4e0a4ac..0ee1e59 100644
> > > > > > --- a/kernel/auditsc.c
> > > > > > +++ b/kernel/auditsc.c
> > > > > > @@ -2073,6 +2073,92 @@ int audit_set_loginuid(kuid_t loginuid)
> > > > > > return rc;
> > > > > > }
> > > > > >
> > > > > > +static int audit_set_containerid_perm(struct task_struct *task, u64 containerid)
> > > > > > +{
> > > > > > + struct task_struct *parent;
> > > > > > + u64 pcontainerid, ccontainerid;
> > > > > > + pid_t ppid;
> > > > > > +
> > > > > > + /* Don't allow to set our own containerid */
> > > > > > + if (current == task)
> > > > > > + return -EPERM;
> > > > > > + /* Don't allow the containerid to be unset */
> > > > > > + if (!cid_valid(containerid))
> > > > > > + return -EINVAL;
> > > > > > + /* if we don't have caps, reject */
> > > > > > + if (!capable(CAP_AUDIT_CONTROL))
> > > > > > + return -EPERM;
> > > > > > + /* if containerid is unset, allow */
> > > > > > + if (!audit_containerid_set(task))
> > > > > > + return 0;
> > > > > I am wondering whether there should be a check for the target process that
> > > > > will receive the containerid to not have CAP_SYS_ADMIN that would otherwise
> > > > > allow it to arbitrarily unshare()/clone() and leave the set of namespaces
> > > > > that may make up the container whose containerid we assign here?
> > > > This is a reasonable question. This has been debated and I understood
> > > > the conclusion was that without a clear definition of a "container", the
> > > > task still remains in that container that just now has more
> > > > sub-namespaces (in the case of hierarchical namespaces), we don't want
> > > > to restrict it in such a way and that allows it to create nested
> > > > containers. I see setns being more problematic if it could switch to
> > > > another existing namespace that was set up by the orchestrator for a
> > > > different container. The coming v2 patchset acknowledges this situation
> > > > with the network namespace being potentially shared by multiple
> > > > containers.
> > > Are you going to post v2 soon? We would like to build on top of it for IMA
> > > namespacing and auditing inside of IMA namespaces.
> > I don't know if it addresses your specific needs, but V2 was posted on
> > March 16th along with userspace patches:
> > https://www.redhat.com/archives/linux-audit/2018-March/msg00110.html
> > https://www.redhat.com/archives/linux-audit/2018-March/msg00124.html
> >
> > V3 is pending.
> Thanks. I hadn't actually looked at primarily due to the ghak and ghau in
> the title. Whatever these may mean.
They are Github issue numbers:
GHAK: GitHub Audit Kernel
GHAU: GitHub Audit Userspace
GHAD: GitHub Audit Documentation
GHAT: GitHub Audit Testsuite
> Does V2 or will V3 prevent a privileged process to setns() to a whole
> different set of namespaces and still be audited with that initial container
> id ?
No, not significantly different from V1 in that respect.
It does not prevent setns(), but will maintain its containerid.
It will prevent games by blocking a child and parent from setting each
other's containerids.
It does check that the task being conainered does not yet have any
children or peer threads.
- RGB
--
Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2018-04-18 19:51 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-01 19:41 [RFC PATCH V1 00/12] audit: implement container id Richard Guy Briggs
[not found] ` <cover.1519930146.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-03-01 19:41 ` [RFC PATCH V1 01/12] audit: add " Richard Guy Briggs
[not found] ` <2e5d93ee46feca915a101c2fc3062da674a98223.1519930146.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-03-02 1:41 ` Richard Guy Briggs
[not found] ` <20180302014101.jtfd2eeyxmvxcjpf-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-03-02 15:48 ` Paul Moore
[not found] ` <CAHC9VhQi2QC8_e1fgYr=bfTACdtpgXZubc6S18r+1+9qf6TJ8w@mail.gmail.com>
[not found] ` <CAHC9VhQi2QC8_e1fgYr=bfTACdtpgXZubc6S18r+1+9qf6TJ8w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-02 18:23 ` Matthew Wilcox
[not found] ` <20180302182321.GE31400@bombadil.infradead.org>
[not found] ` <20180302182321.GE31400-PfSpb0PWhxZc2C7mugBRk2EX/6BAtgUQ@public.gmane.org>
2018-03-02 19:25 ` Paul Moore
[not found] ` <CAHC9VhSapR0jXyhonKjLVpBfPX-P4KCR7OJTasyiTQuDFYZ1Rw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-02 19:41 ` Paul Moore
2018-03-03 9:19 ` Serge E. Hallyn
2018-03-15 20:27 ` Stefan Berger
[not found] ` <216d1ab1-531b-9185-2e31-34f162f08aad-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-03-16 3:58 ` Richard Guy Briggs
[not found] ` <20180316035837.ddnqvbyrbp3fdk7e@madcap2.tricolour.ca>
[not found] ` <20180316035837.ddnqvbyrbp3fdk7e-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-04-18 18:45 ` Stefan Berger
[not found] ` <f966fa52-da4b-3d74-0848-1f0b08e57fd9@linux.vnet.ibm.com>
[not found] ` <f966fa52-da4b-3d74-0848-1f0b08e57fd9-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-04-18 19:23 ` Richard Guy Briggs
[not found] ` <20180418192359.n4q53bvsdhrjftjg@madcap2.tricolour.ca>
[not found] ` <20180418192359.n4q53bvsdhrjftjg-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-04-18 19:39 ` Stefan Berger
[not found] ` <c1ec93a2-b398-373c-55da-b2be8e60c6b6@linux.vnet.ibm.com>
[not found] ` <c1ec93a2-b398-373c-55da-b2be8e60c6b6-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-04-18 19:51 ` Richard Guy Briggs [this message]
[not found] ` <20180303091913.GA13118@mail.hallyn.com>
[not found] ` <20180303091913.GA13118-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2018-03-04 15:01 ` Paul Moore
[not found] ` <CAHC9VhQA23w39aaho1wkPawX7zxiGyTVQroZzpACKk8DK8-F8w@mail.gmail.com>
[not found] ` <CAHC9VhQA23w39aaho1wkPawX7zxiGyTVQroZzpACKk8DK8-F8w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-03-05 8:16 ` Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 02/12] audit: log container info of syscalls Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 03/12] audit: add containerid filtering Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 04/12] audit: read container ID of a process Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 05/12] audit: add containerid support for ptrace and signals Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 06/12] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 07/12] audit: add container aux record to watch/tree/mark Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 08/12] audit: add containerid support for tty_audit Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 09/12] audit: add containerid support for config/feature/user records Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 10/12] audit: add containerid support for seccomp and anom_abend records Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 11/12] debug audit: add container id Richard Guy Briggs
2018-03-01 19:41 ` [RFC PATCH V1 12/12] debug! " Richard Guy Briggs
2018-03-04 21:55 ` [RFC PATCH V1 00/12] audit: implement " Mimi Zohar
[not found] ` <1520200557.10396.257.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-03-05 3:31 ` Richard Guy Briggs
[not found] ` <20180305033128.6sqreoo5olqwq5og-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-03-05 13:27 ` Mimi Zohar
2018-03-06 15:04 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='20180418195136.sbogbumlputhbvfx__34421.0511692383$1524081366$gmane$org@madcap2.tricolour.ca' \
--to=rgb-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \
--cc=jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).