Re: [PATCH ghak90 V6 02/10] audit: add container id

[PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 01/10] audit: collect audit task parameters · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 02/10] audit: add container id · Tycho Andersen <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Tycho Andersen <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Tycho Andersen <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 02/10] audit: add container id · "Serge E. Hallyn" <serge@hallyn.com> · 2019-05-30
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 02/10] audit: add container id · Tycho Andersen <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-05-31
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-05-31
Re: [PATCH ghak90 V6 02/10] audit: add container id · Steve Grubb <hidden> · 2019-06-03
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-06-18
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-06-18
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-08
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-08
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-15
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-08
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-15
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-18
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-18
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-08
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-15
Re: [PATCH ghak90 V6 02/10] audit: add container id · Richard Guy Briggs <hidden> · 2019-07-16
Re: [PATCH ghak90 V6 02/10] audit: add container id · Paul Moore <paul@paul-moore.com> · 2019-07-16
[PATCH ghak90 V6 03/10] audit: read container ID of a process · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 04/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 04/10] audit: log container info of syscalls · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 04/10] audit: log container info of syscalls · Ondrej Mosnacek <omosnace@redhat.com> · 2019-05-30
Re: [PATCH ghak90 V6 04/10] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 04/10] audit: log container info of syscalls · Paul Moore <paul@paul-moore.com> · 2019-05-30
[PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Ondrej Mosnacek <omosnace@redhat.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Paul Moore <paul@paul-moore.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Neil Horman <nhorman@tuxdriver.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Ondrej Mosnacek <omosnace@redhat.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Paul Moore <paul@paul-moore.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Paul Moore <paul@paul-moore.com> · 2019-04-09
Re: [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon · Neil Horman <nhorman@tuxdriver.com> · 2019-04-09
[PATCH ghak90 V6 06/10] audit: add support for non-syscall auxiliary records · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS · Richard Guy Briggs <hidden> · 2019-04-09
[PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2019-05-30
[PATCH ghak90 V6 08/10] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 08/10] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2019-05-30
[PATCH ghak90 V6 07/10] audit: add containerid support for user records · Richard Guy Briggs <hidden> · 2019-04-09
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-04-11
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Neil Horman <nhorman@tuxdriver.com> · 2019-04-22
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-04-22
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Neil Horman <nhorman@tuxdriver.com> · 2019-04-23
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Daniel Walsh <hidden> · 2019-05-28
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-05-28
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-28
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Steve Grubb <hidden> · 2019-05-28
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Daniel Walsh <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Daniel Walsh <hidden> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-29
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Steve Grubb <hidden> · 2019-05-30
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Paul Moore <paul@paul-moore.com> · 2019-05-30
Re: [PATCH ghak90 V6 00/10] audit: implement container identifier · Richard Guy Briggs <hidden> · 2019-05-30

From: Paul Moore <paul@paul-moore.com>
Date: 2019-07-15 20:38:39
Also in: linux-api, linux-fsdevel, lkml, netfilter-devel

On Mon, Jul 8, 2019 at 1:51 PM Richard Guy Briggs [off-list ref] wrote:

On 2019-05-29 11:29, Paul Moore wrote:

...

quoted

The idea is that only container orchestrators should be able to
set/modify the audit container ID, and since setting the audit
container ID can have a significant effect on the records captured
(and their routing to multiple daemons when we get there) modifying
the audit container ID is akin to modifying the audit configuration
which is why it is gated by CAP_AUDIT_CONTROL.  The current thinking
is that you would only change the audit container ID from one
set/inherited value to another if you were nesting containers, in
which case the nested container orchestrator would need to be granted
CAP_AUDIT_CONTROL (which everyone to date seems to agree is a workable
compromise).  We did consider allowing for a chain of nested audit
container IDs, but the implications of doing so are significant
(implementation mess, runtime cost, etc.) so we are leaving that out
of this effort.

We had previously discussed the idea of restricting
orchestrators/engines from only being able to set the audit container
identifier on their own descendants, but it was discarded.  I've added a
check to ensure this is now enforced.

When we weren't allowing nested orchestrators it wasn't necessary, but
with the move to support nesting I believe this will be a requirement.
We might also need/want to restrict audit container ID changes if a
descendant is acting as a container orchestrator and managing one or
more audit container IDs; although I'm less certain of the need for
this.

I've also added a check to ensure that a process can't set its own audit
container identifier ...

What does this protect against, or what problem does this solve?
Considering how easy it is to fork/exec, it seems like this could be
trivially bypassed.

... and that if the identifier is already set, then the
orchestrator/engine must be in a descendant user namespace from the
orchestrator that set the previously inherited audit container
identifier.

You lost me here ... although I don't like the idea of relying on X
namespace inheritance for a hard coded policy on setting the audit
container ID; we've worked hard to keep this independent of any
definition of a "container" and it would sadden me greatly if we had
to go back on that.

-- 
paul moore
www.paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help