From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Daniel J Walsh <dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Eric Paris <eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
matthltc-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit
Date: Fri, 21 Jun 2013 03:49:34 -0700 [thread overview]
Message-ID: <87ehbvivr5.fsf@xmission.com> (raw)
In-Reply-To: <51C42221.3030206-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> (Daniel J. Walsh's message of "Fri, 21 Jun 2013 05:51:29 -0400")
Daniel J Walsh <dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> writes:
> Will I be able to use the audit namespace without the user namespace. I would
> prefer to be able to use the audit namespace long before I am willing to take
> a chance with the User Namespace for things like light weight virtualization
> and securing processes with MAC.
I will be very surprised if we settle on a design that allows it.
I still think even the existence of multiple audit contexts is a little
iffy but the desire seems strong enough Gao feng will probably work
through all of the issues.
Without restricting processes to a user namespace at the same time as
restricting them to an audit context it becomes very easy to violate the
important audit policies and to bury user space generated messages from
privileged userspace applications. At least in a user namespace we know
you are not privileged with respect to the rest of the system, so we
would only be dealing with userspace messages you would not be able to
generate otherwise.
As for taking a chance. You will probably safer with a simultaneous use
of user namespaces and having processes secured with a MAC. To the best
of my knowledge previous solutions have only been really safe when you
trusted the processes inside not to be malicious. A user namespace at
least means you can stop using uid 0 inside of your light weight
virtualization.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: Gao feng <gaofeng@cn.fujitsu.com>, Eric Paris <eparis@redhat.com>,
containers@lists.linux-foundation.org, serge.hallyn@ubuntu.com,
linux-kernel@vger.kernel.org, linux-audit@redhat.com,
matthltc@linux.vnet.ibm.com, Aristeu Rozanski <aris@redhat.com>
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit
Date: Fri, 21 Jun 2013 03:49:34 -0700 [thread overview]
Message-ID: <87ehbvivr5.fsf@xmission.com> (raw)
In-Reply-To: <51C42221.3030206@redhat.com> (Daniel J. Walsh's message of "Fri, 21 Jun 2013 05:51:29 -0400")
Daniel J Walsh <dwalsh@redhat.com> writes:
> Will I be able to use the audit namespace without the user namespace. I would
> prefer to be able to use the audit namespace long before I am willing to take
> a chance with the User Namespace for things like light weight virtualization
> and securing processes with MAC.
I will be very surprised if we settle on a design that allows it.
I still think even the existence of multiple audit contexts is a little
iffy but the desire seems strong enough Gao feng will probably work
through all of the issues.
Without restricting processes to a user namespace at the same time as
restricting them to an audit context it becomes very easy to violate the
important audit policies and to bury user space generated messages from
privileged userspace applications. At least in a user namespace we know
you are not privileged with respect to the rest of the system, so we
would only be dealing with userspace messages you would not be able to
generate otherwise.
As for taking a chance. You will probably safer with a simultaneous use
of user namespaces and having processes secured with a MAC. To the best
of my knowledge previous solutions have only been really safe when you
trusted the processes inside not to be malicious. A user namespace at
least means you can stop using uid 0 inside of your light weight
virtualization.
Eric
next prev parent reply other threads:[~2013-06-21 10:49 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-19 1:53 [Part1 PATCH 00/22] Add namespace support for audit Gao feng
2013-06-19 1:53 ` Gao feng
[not found] ` <1371606834-5802-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-19 1:53 ` [PATCH 01/22] Audit: change type of audit_ever_enabled to bool Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 02/22] Audit: remove duplicate comments Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 03/22] Audit: make audit kernel side netlink sock per userns Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 04/22] netlink: Add compare function for netlink_table Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 05/22] Audit: implement audit self-defined compare function Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 06/22] Audit: make audit_skb_queue per user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 07/22] Audit: make audit_skb_hold_queue " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 08/22] Audit: make kauditd_task " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 09/22] Audit: make audit_nlk_portid per user namesapce Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 10/22] Audit: make audit_enabled per user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 11/22] Audit: make audit_ever_enabled " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 12/22] Audit: make audit_initialized " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 13/22] Audit: only allow init user namespace to change rate limit Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 14/22] Audit: only allow init user namespace to change audit_failure Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 15/22] Audit: only allow init user namespace to change backlog_limit Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 16/22] Audit: make kauditd_wait per user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 17/22] Audit: make audit_backlog_wait " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 18/22] Audit: introduce new audit logging interface for " Gao feng
2013-06-19 1:53 ` [PATCH 19/22] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-06-19 1:53 ` [PATCH 20/22] Audit: Log audit config change in uninit user namespace Gao feng
2013-06-19 1:53 ` [PATCH 21/22] Audit: send reply message to the auditd in proper " Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 22/22] Audit: Allow GET, SET, USER MSG operations in uninit " Gao feng
2013-06-19 20:49 ` [Part1 PATCH 00/22] Add namespace support for audit Aristeu Rozanski
2013-06-19 20:49 ` Aristeu Rozanski
[not found] ` <20130619204927.GJ3212-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-19 20:51 ` Eric Paris
2013-06-19 20:51 ` Eric Paris
[not found] ` <1371675095.16587.5.camel-97fqgl+48DwtHMky1e46ABcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
2013-06-19 21:03 ` Eric W. Biederman
2013-06-19 21:03 ` Eric W. Biederman
[not found] ` <87a9mlu82y.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-20 5:21 ` Gao feng
2013-06-20 5:21 ` Gao feng
2013-06-20 3:02 ` Gao feng
2013-06-20 3:02 ` Gao feng
[not found] ` <51C270AF.1080902-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-20 3:09 ` Gao feng
2013-06-20 3:09 ` Gao feng
[not found] ` <51C27266.3060909-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-20 22:01 ` Eric W. Biederman
2013-06-20 22:01 ` Eric W. Biederman
[not found] ` <87y5a4phlm.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-06-21 5:15 ` Gao feng
2013-06-21 5:15 ` Gao feng
2013-06-24 15:02 ` Aristeu Rozanski
2013-06-24 15:02 ` Aristeu Rozanski
[not found] ` <20130624150237.GA3535-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-24 19:03 ` Eric W. Biederman
2013-06-24 19:03 ` Eric W. Biederman
2013-06-20 13:02 ` Eric Paris
2013-06-20 13:02 ` Eric Paris
2013-06-20 13:02 ` Eric Paris
[not found] ` <1371733353.16587.19.camel-97fqgl+48DwtHMky1e46ABcY2uh10dtjAL8bYrjMMd8@public.gmane.org>
2013-06-20 20:45 ` Serge E. Hallyn
2013-06-20 20:45 ` Serge E. Hallyn
2013-06-21 3:48 ` Gao feng
2013-06-21 3:48 ` Gao feng
[not found] ` <51C3CCFB.4030901-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-06-21 9:51 ` Daniel J Walsh
2013-06-21 9:51 ` Daniel J Walsh
[not found] ` <51C42221.3030206-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-06-21 10:49 ` Eric W. Biederman [this message]
2013-06-21 10:49 ` Eric W. Biederman
2013-07-04 3:30 ` Gao feng
2013-07-04 3:30 ` Gao feng
2013-06-19 1:53 ` [PATCH 18/22] Audit: introduce new audit logging interface for user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 19/22] Audit: pass proper user namespace to audit_log_common_recv_msg Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 20/22] Audit: Log audit config change in uninit user namespace Gao feng
2013-06-19 1:53 ` Gao feng
2013-06-19 1:53 ` [PATCH 22/22] Audit: Allow GET,SET,USER MSG operations " Gao feng
2013-06-19 1:53 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ehbvivr5.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dwalsh-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=matthltc-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.