public inbox for cgroups@vger.kernel.org
 help / color / mirror / Atom feed
From: Topi Miettinen <toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	pmladek-IBi9RG/b67k@public.gmane.org,
	luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
	serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org,
	keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org,
	Paul Moore <paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org>,
	Eric Paris <eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
	Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
	Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
	Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
	"moderated list:AUDIT SUBSYSTEM"
	<linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
	"open list:CONTROL GROUP (CGROUP)"
	<cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	"open list:CAPABILITIES"
	<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH] capabilities: audit capability use
Date: Wed, 13 Jul 2016 07:30:18 +0000	[thread overview]
Message-ID: <d882bf1d-e00d-3722-5695-12f257a15224@gmail.com> (raw)
In-Reply-To: <878tx79et8.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>

On 07/12/16 13:16, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
> 
>> On 07/11/16 21:57, Eric W. Biederman wrote:
>>> Topi Miettinen <toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
>>>
>>>> There are many basic ways to control processes, including capabilities,
>>>> cgroups and resource limits. However, there are far fewer ways to find
>>>> out useful values for the limits, except blind trial and error.
>>>>
>>>> Currently, there is no way to know which capabilities are actually used.
>>>> Even the source code is only implicit, in-depth knowledge of each
>>>> capability must be used when analyzing a program to judge which
>>>> capabilities the program will exercise.
>>>>
>>>> Generate an audit message at system call exit, when capabilities are used.
>>>> This can then be used to configure capability sets for services by a
>>>> software developer, maintainer or system administrator.
>>>>
>>>> Test case demonstrating basic capability monitoring with the new
>>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>>> rdshell):
>>>
>>> You totally miss the interactions with the user namespace so this won't
>>> give you the information you are aiming for.
>>
>> Please correct me if this is not right:
>>
>> There are two cases:
>> a) real capability use as seen outside the namespace
>> b) use of capabilities granted by the namespace
>> Both cases could be active independently.
>>
>> For auditing purposes, we're  mostly interested in a) and log noise from
>> b) could be even seen a distraction.
>>
>> For configuration purposes, both cases can be interesting, a) for the
>> configuration of  services and b) in case where the containerized
>> configuration is planned to be deployed outside. I'd still only log
>> a).
>>
>>
>> The same logic should apply with cgroup namespaces.
> 
> Not logging capabilities outside of the initial user namespace is
> certainly the conservative place to start, and what selinux does.
> 
> You should also be logging capability use from cap_capable.  Not

But cap_capable is not called from apparmor aa_capable or selinux
selinux_capable, how about security_capable()?

> ns_capable.  You are missing several kinds of capability use as
> a quick review of kernel/capability.c should have shown you.

Right, sorry about that.

-Topi

> 
> Eric
> 

  parent reply	other threads:[~2016-07-13  7:30 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-11 11:14 [PATCH] capabilities: audit capability use Topi Miettinen
     [not found] ` <1468235672-3745-1-git-send-email-toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-07-11 15:25   ` Serge E. Hallyn
     [not found]     ` <20160711152543.GA17459-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-07-11 16:05       ` Topi Miettinen
     [not found]         ` <0355f70f-8356-f685-d37d-ba28668363a1-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-07-11 19:28           ` Topi Miettinen
2016-07-11 17:09   ` Tejun Heo
2016-07-11 19:47     ` Topi Miettinen
     [not found]       ` <683cdbb9-c414-07c7-16d3-41c4138ddf8d-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-07-12 14:59         ` Tejun Heo
     [not found]           ` <20160712145936.GH3190-piEFEHQLUPpN0TnZuCh8vA@public.gmane.org>
2016-07-13  6:52             ` Topi Miettinen
2016-07-11 21:57 ` Eric W. Biederman
     [not found]   ` <87vb0bbzyo.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-12  8:54     ` Topi Miettinen
2016-07-12 13:16       ` Eric W. Biederman
2016-07-12 22:00         ` Paul Moore
     [not found]         ` <878tx79et8.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-13  7:30           ` Topi Miettinen [this message]
2016-07-12 21:56 ` Paul Moore
  -- strict thread matches above, loose matches on Subject: below --
2016-07-03 15:08 [PATCH] capabilities: add capability cgroup controller Topi Miettinen
     [not found] ` <218f2bef-5e5e-89c4-154b-24dc49c82c31-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-07-03 16:13   ` [PATCH] capabilities: audit capability use kbuild test robot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d882bf1d-e00d-3722-5695-12f257a15224@gmail.com \
    --to=toiwoton-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
    --cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
    --cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    --cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \
    --cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
    --cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
    --cc=luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
    --cc=paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org \
    --cc=pmladek-IBi9RG/b67k@public.gmane.org \
    --cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
    --cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox