From: Aristeu Rozanski <arozansk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Eric Paris <eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH RFC] audit: provide namespace information in user originated records
Date: Wed, 20 Mar 2013 11:45:03 -0400 [thread overview]
Message-ID: <20130320154503.GF20187@redhat.com> (raw)
In-Reply-To: <874ng7gcst.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
On Tue, Mar 19, 2013 at 05:00:50PM -0700, Eric W. Biederman wrote:
> It is always possible to pick the instance of /proc connected to the
> initial pid namespace. And there is a device number you can use to say
> that.
I wasn't aware of that, I'll take a look, thanks!
> The reasons were simply that to my knowledge no one has thought through
> how audit records and namespaces make sense to interact.
>
> My expectation would be that an extention of audit records would be
> logged on a per container basis. But I don't have any motivating
> examples.
from what I've heard, there're two possibilites here: if a container is
understood to be "light virtualization", it should behave just like
another machine by having its own auditd daemon, sending records over
the network to the host. If that's not the case, a single auditd must be
present. But, the fact that you might want to run a sshd server inside a
container it might be desirable to have USER_AUTH records for example.
> I though you would have taken the time to run it at least once, or to
> perhaps have manually edited your example to see how things would fit
> together.
I did run it with different namespaces but not with userns. The example
was to show how the extra record would look like and I randomly picked
one. The idea is that auditd will know which namespaces are the original
ones and can use that to filter containers' records, which could be
filtered out by default.
> What was really missing from your RFC is a motivating example. I sort
> of see that in your paragraph above but it isn't clear to me.
>
> What is lost by not allowing USER audit records from processes in
> containers? What is gained by implementing user process to have them?
> And of course what are your thoughts on preventing unprivileged users
> overwhelming the audit subsystem.
This is a bit fuzzy to me, perhaps due I'm not fully understanding
userns implementation yet, so bear with me:
I thought of changing so userns would not grant CAP_AUDIT_WRITE and
CAP_AUDIT_CONTROL unless the process already has it (i.e. it'd require
to be root on the init_ns). The 'init' process would start trusted
daemons with those capabilities then drop the capabilities for
everything else.
Does it make sense?
--
Aristeu
next prev parent reply other threads:[~2013-03-20 15:45 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1363619405-6419-1-git-send-email-arozansk@redhat.com>
[not found] ` <1363619405-6419-9-git-send-email-arozansk@redhat.com>
2013-03-18 21:28 ` [PATCH RFC 8/8] audit: allow user records to be created inside a container Eric W. Biederman
[not found] ` <1363619405-6419-8-git-send-email-arozansk@redhat.com>
2013-03-18 21:44 ` [PATCH RFC 7/8] audit: report namespace information along with USER events Eric W. Biederman
2013-03-19 12:08 ` Aristeu Rozanski
[not found] ` <871ubc9yda.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2014-01-24 6:19 ` Richard Guy Briggs
[not found] ` <1363619405-6419-1-git-send-email-arozansk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-03-18 22:16 ` [PATCH RFC] audit: provide namespace information in user originated records Eric W. Biederman
[not found] ` <877gl48iaz.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-19 12:24 ` Aristeu Rozanski
[not found] ` <20130319122408.GC20187-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-03-20 0:00 ` Eric W. Biederman
[not found] ` <874ng7gcst.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-20 15:12 ` Serge Hallyn
2013-03-20 15:45 ` Aristeu Rozanski [this message]
[not found] ` <20130320154503.GF20187-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-03-20 18:36 ` Serge Hallyn
2013-03-20 18:42 ` Eric Paris
2013-03-20 18:49 ` Serge Hallyn
2013-03-20 19:01 ` Eric Paris
2013-03-20 19:17 ` Aristeu Rozanski
2013-03-20 19:19 ` Serge Hallyn
2013-03-20 23:23 ` Eric W. Biederman
[not found] ` <87y5dh8xl7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-21 1:46 ` Eric Paris
2013-03-21 2:21 ` Serge Hallyn
2013-03-21 4:48 ` Eric W. Biederman
2013-03-18 15:45 Aristeu Rozanski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130320154503.GF20187@redhat.com \
--to=arozansk-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox