From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: Simo Sorce <simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>,
Steve Grubb <sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Cc: mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org,
jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Linux Kernel
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Linux Network Development
<netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux FS Devel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Eric Paris <eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org>,
Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Tue, 17 Oct 2017 08:44:51 -0700 [thread overview]
Message-ID: <1508255091.3129.27.camel@HansenPartnership.com> (raw)
In-Reply-To: <1508254120.6230.34.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Tue, 2017-10-17 at 11:28 -0400, Simo Sorce wrote:
> > Without a *kernel* policy on containerIDs you can't say what
> > security policy is being exempted.
>
> The policy has been basically stated earlier.
>
> A way to track a set of processes from a specific point in time
> forward. The name used is "container id", but it could be anything.
> This marker is mostly used by user space to track process hierarchies
> without races, these processes can be very privileged, and must not
> be allowed to change the marker themselves when granted the current
> common capabilities.
>
> Is this a good enough description ? If not can you clarify your
> expectations ?
I think you mean you want to be able to apply a label to a process
which is inherited across forks. The label should only be susceptible
to modification by something possessing a capability (which one TBD).
The idea is that processes spawned into a container would be labelled
by the container orchestration system. It's unclear what should happen
to processes using nsenter after the fact, but policy for that should
be up to the orchestration system.
The label will be used as a tag for audit information.
I think you were missing label inheritance above.
The security implications are that anything that can change the label
could also hide itself and its doings from the audit system and thus
would be used as a means to evade detection. I actually think this
means the label should be write once (once you've set it, you can't
change it) and orchestration systems should begin as unlabelled
processes allowing them to do arbitrary forks.
For nested containers, I actually think the label should be
hierarchical, so you can add a label for the new nested container but
it still also contains its parents label as well.
James
WARNING: multiple messages have this Message-ID (diff)
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Simo Sorce <simo@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Steve Grubb <sgrubb@redhat.com>,
linux-audit@redhat.com
Cc: mszeredi@redhat.com, trondmy@primarydata.com, jlayton@redhat.com,
Linux API <linux-api@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Linux Kernel <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Carlos O'Donell <carlos@redhat.com>,
cgroups@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andy Lutomirski <luto@kernel.org>,
Linux Network Development <netdev@vger.kernel.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Eric Paris <eparis@parisplace.org>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Tue, 17 Oct 2017 08:44:51 -0700 [thread overview]
Message-ID: <1508255091.3129.27.camel@HansenPartnership.com> (raw)
In-Reply-To: <1508254120.6230.34.camel@redhat.com>
On Tue, 2017-10-17 at 11:28 -0400, Simo Sorce wrote:
> > Without a *kernel* policy on containerIDs you can't say what
> > security policy is being exempted.
>
> The policy has been basically stated earlier.
>
> A way to track a set of processes from a specific point in time
> forward. The name used is "container id", but it could be anything.
> This marker is mostly used by user space to track process hierarchies
> without races, these processes can be very privileged, and must not
> be allowed to change the marker themselves when granted the current
> common capabilities.
>
> Is this a good enough description ? If not can you clarify your
> expectations ?
I think you mean you want to be able to apply a label to a process
which is inherited across forks. The label should only be susceptible
to modification by something possessing a capability (which one TBD).
The idea is that processes spawned into a container would be labelled
by the container orchestration system. It's unclear what should happen
to processes using nsenter after the fact, but policy for that should
be up to the orchestration system.
The label will be used as a tag for audit information.
I think you were missing label inheritance above.
The security implications are that anything that can change the label
could also hide itself and its doings from the audit system and thus
would be used as a means to evade detection. I actually think this
means the label should be write once (once you've set it, you can't
change it) and orchestration systems should begin as unlabelled
processes allowing them to do arbitrary forks.
For nested containers, I actually think the label should be
hierarchical, so you can add a label for the new nested container but
it still also contains its parents label as well.
James
next prev parent reply other threads:[~2017-10-17 15:44 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-12 14:14 RFC(v2): Audit Kernel Container IDs Richard Guy Briggs
2017-10-12 14:14 ` Richard Guy Briggs
2017-10-12 15:45 ` Steve Grubb
2017-10-19 19:57 ` Richard Guy Briggs
2017-10-19 19:57 ` Richard Guy Briggs
[not found] ` <20171019195747.4ssujtaj3f5ipsoh-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:15 ` Aleksa Sarai
[not found] ` <8f495870-dd6c-23b9-b82b-4228a441c729-l3A5Bk7waGM@public.gmane.org>
2017-10-19 23:15 ` Aleksa Sarai
2017-10-20 2:25 ` Steve Grubb
2017-10-20 2:25 ` Steve Grubb
2017-10-20 2:25 ` Steve Grubb
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 19:57 ` Richard Guy Briggs
[not found] ` <20171012141359.saqdtnodwmbz33b2-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-12 15:45 ` Steve Grubb
2017-10-12 16:33 ` Casey Schaufler
2017-10-12 16:33 ` Casey Schaufler
2017-10-12 16:33 ` Casey Schaufler
[not found] ` <75b7d6a6-42ba-2dff-1836-1091c7c024e7-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-17 0:33 ` Richard Guy Briggs
2017-12-09 10:20 ` Mickaël Salaün
2017-12-09 10:20 ` Mickaël Salaün
[not found] ` <7ebca85a-425c-2b95-9a5f-59d81707339e-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2017-12-09 18:28 ` Casey Schaufler
2017-12-09 18:28 ` Casey Schaufler
2017-12-09 18:28 ` Casey Schaufler
2017-12-09 18:28 ` Casey Schaufler
[not found] ` <f8ea78be-9bbf-2967-7b12-ac93bb85b0bc-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-12-11 16:30 ` Eric Paris
2017-12-11 16:30 ` Eric Paris
[not found] ` <1513009857.6310.337.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-12-11 16:52 ` Casey Schaufler
2017-12-11 19:37 ` Steve Grubb
2017-12-11 19:37 ` Steve Grubb
2017-12-11 19:37 ` Steve Grubb
2017-12-11 16:52 ` Casey Schaufler
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-09 10:20 ` Mickaël Salaün
2017-10-17 0:33 ` Richard Guy Briggs
2017-10-17 1:10 ` Casey Schaufler
[not found] ` <81c15928-c445-fb8e-251c-bee566fbbf58-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-19 0:05 ` Richard Guy Briggs
2017-10-19 0:05 ` Richard Guy Briggs
[not found] ` <20171019000527.eio6dfsmujmtioyt-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-19 13:32 ` Casey Schaufler
2017-10-19 13:32 ` Casey Schaufler
2017-10-19 13:32 ` Casey Schaufler
[not found] ` <18cb69a5-f998-0e6e-85df-7f4b9b768a6f-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-19 15:51 ` Paul Moore
2017-10-19 15:51 ` Paul Moore
2017-10-19 0:05 ` Richard Guy Briggs
[not found] ` <20171017003340.whjdkqmkw4lydwy7-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-17 1:10 ` Casey Schaufler
2017-10-17 1:42 ` Steve Grubb
2017-10-17 1:42 ` Steve Grubb
2017-10-17 12:31 ` Simo Sorce
2017-10-17 12:31 ` Simo Sorce
2017-10-17 14:59 ` Casey Schaufler
[not found] ` <a07968f6-fef1-f49d-01f1-6c660c0ada20-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-17 15:28 ` Simo Sorce
2017-10-17 15:28 ` Simo Sorce
[not found] ` <1508254120.6230.34.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-10-17 15:44 ` James Bottomley
2017-10-17 15:44 ` James Bottomley [this message]
2017-10-17 15:44 ` James Bottomley
2017-10-17 16:43 ` Casey Schaufler
[not found] ` <eb96144d-4ab5-7f9f-de18-b296db35a00a-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-17 17:15 ` Steve Grubb
2017-10-17 17:15 ` Steve Grubb
2017-10-17 17:57 ` James Bottomley
2017-10-17 17:57 ` James Bottomley
[not found] ` <1508263063.3129.35.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-10-18 0:23 ` Steve Grubb
2017-10-18 0:23 ` Steve Grubb
[not found] ` <1508255091.3129.27.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-10-17 16:43 ` Casey Schaufler
2017-10-18 20:56 ` Paul Moore
2017-10-18 20:56 ` Paul Moore
[not found] ` <CAHC9VhRV9m6-APj3ofMQc22rL-WUoDzB8-urUxryszjCHHHLTg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-10-18 23:46 ` Aleksa Sarai
2017-10-18 23:46 ` Aleksa Sarai
[not found] ` <49752b6f-8a77-d1e5-8acb-5a1eed0a992c-l3A5Bk7waGM@public.gmane.org>
2017-10-19 0:43 ` Eric W. Biederman
2017-10-19 0:43 ` Eric W. Biederman
[not found] ` <871sm0j7bm.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-10-19 15:36 ` Paul Moore
2017-10-19 15:36 ` Paul Moore
2017-10-19 15:36 ` Paul Moore
[not found] ` <CAHC9VhTYF-MJm3ejWXE1H-eeXKaNBkeWKwdiKdj093xATYn7nQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-10-19 16:25 ` Eric W. Biederman
2017-10-19 16:25 ` Eric W. Biederman
[not found] ` <87y3o7gl5l.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-10-19 17:47 ` Paul Moore
2017-10-19 17:47 ` Paul Moore
2017-10-19 16:25 ` Eric W. Biederman
2017-10-19 0:43 ` Eric W. Biederman
2017-10-17 16:10 ` Casey Schaufler
2017-10-17 16:10 ` Casey Schaufler
[not found] ` <1508243469.6230.24.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-10-17 14:59 ` Casey Schaufler
2017-10-18 19:58 ` Paul Moore
2017-10-18 19:58 ` Paul Moore
2017-10-12 17:59 ` Eric W. Biederman
2017-10-12 17:59 ` Eric W. Biederman
2017-10-13 13:43 ` Alan Cox
2017-10-13 13:43 ` Alan Cox
2017-10-13 13:43 ` Alan Cox
2017-10-13 13:43 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
2017-10-12 14:14 Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1508255091.3129.27.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \
--cc=jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.