From: ebiederm@xmission.com (Eric W. Biederman)
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Tycho Andersen <tycho@tycho.ws>,
containers@lists.linux-foundation.org, linux-api@vger.kernel.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
linux-fsdevel@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com,
simo@redhat.com, Eric Paris <eparis@parisplace.org>,
nhorman@tuxdriver.com
Subject: Re: [PATCH ghak90 V6 02/10] audit: add container id
Date: Fri, 19 Jul 2019 10:32:13 -0500 [thread overview]
Message-ID: <874l3ighvm.fsf@xmission.com> (raw)
In-Reply-To: <20190718005145.eshekqfr3navqqiy@madcap2.tricolour.ca> (Richard Guy Briggs's message of "Wed, 17 Jul 2019 20:51:45 -0400")
Richard Guy Briggs <rgb@redhat.com> writes:
> On 2019-07-16 19:30, Paul Moore wrote:
>> On Tue, Jul 16, 2019 at 6:03 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>> > On 2019-07-15 17:04, Paul Moore wrote:
>> > > On Mon, Jul 8, 2019 at 2:06 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>>
>> > > > At this point I would say we are at an impasse unless we trust
>> > > > ns_capable() or we implement audit namespaces.
>> > >
>> > > I'm not sure how we can trust ns_capable(), but if you can think of a
>> > > way I would love to hear it. I'm also not sure how namespacing audit
>> > > is helpful (see my above comments), but if you think it is please
>> > > explain.
>> >
>> > So if we are not namespacing, why do we not trust capabilities?
>>
>> We can trust capable(CAP_AUDIT_CONTROL) for enforcing audit container
>> ID policy, we can not trust ns_capable(CAP_AUDIT_CONTROL).
>
> Ok. So does a process in a non-init user namespace have two (or more)
> sets of capabilities stored in creds, one in the init_user_ns, and one
> in current_user_ns? Or does it get stripped of all its capabilities in
> init_user_ns once it has its own set in current_user_ns? If the former,
> then we can use capable(). If the latter, we need another mechanism, as
> you have suggested might be needed.
The latter. There is only one set of capabilities and it is in the
processes current user namespace.
Eric
next prev parent reply other threads:[~2019-07-19 15:32 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 3:39 [PATCH ghak90 V6 00/10] audit: implement container identifier Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 01/10] audit: collect audit task parameters Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 02/10] audit: add container id Richard Guy Briggs
2019-05-29 14:57 ` Tycho Andersen
2019-05-29 15:29 ` Paul Moore
2019-05-29 15:34 ` Tycho Andersen
2019-05-29 16:03 ` Paul Moore
2019-05-29 22:28 ` Tycho Andersen
2019-05-29 22:39 ` Paul Moore
2019-05-30 17:09 ` Serge E. Hallyn
2019-05-30 19:29 ` Paul Moore
2019-05-30 21:29 ` Tycho Andersen
2019-05-30 23:26 ` Paul Moore
2019-05-31 0:20 ` Richard Guy Briggs
2019-05-31 12:44 ` Paul Moore
2019-06-03 20:24 ` Steve Grubb
2019-06-18 22:12 ` Paul Moore
2019-06-18 22:46 ` Richard Guy Briggs
2019-07-08 18:12 ` Richard Guy Briggs
2019-07-08 20:43 ` Paul Moore
2019-07-15 21:09 ` Paul Moore
2019-07-16 15:37 ` Richard Guy Briggs
2019-07-16 16:08 ` Paul Moore
2019-07-16 16:26 ` Richard Guy Briggs
2019-07-08 18:05 ` Richard Guy Briggs
2019-07-15 21:04 ` Paul Moore
2019-07-16 22:03 ` Richard Guy Briggs
2019-07-16 23:30 ` Paul Moore
2019-07-18 0:51 ` Richard Guy Briggs
2019-07-18 21:52 ` Paul Moore
2019-07-19 16:00 ` Eric W. Biederman
2019-07-19 22:41 ` Burn Alting
2019-07-20 2:19 ` James Bottomley
2019-07-19 15:32 ` Eric W. Biederman [this message]
2019-07-08 17:51 ` Richard Guy Briggs
2019-07-15 20:38 ` Paul Moore
2019-07-16 19:38 ` Richard Guy Briggs
2019-07-16 21:39 ` Paul Moore
2019-07-19 16:07 ` Eric W. Biederman
2019-04-09 3:39 ` [PATCH ghak90 V6 03/10] audit: read container ID of a process Richard Guy Briggs
2019-07-19 16:03 ` Eric W. Biederman
2019-07-19 17:05 ` Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 04/10] audit: log container info of syscalls Richard Guy Briggs
2019-05-29 22:15 ` Paul Moore
2019-05-30 13:08 ` Ondrej Mosnacek
2019-05-30 14:08 ` Richard Guy Briggs
2019-05-30 14:34 ` Paul Moore
2019-04-09 3:39 ` [PATCH ghak90 V6 05/10] audit: add contid support for signalling the audit daemon Richard Guy Briggs
2019-04-09 12:57 ` Ondrej Mosnacek
2019-04-09 13:40 ` Paul Moore
2019-04-09 13:48 ` Neil Horman
2019-04-09 14:00 ` Ondrej Mosnacek
2019-04-09 14:07 ` Paul Moore
2019-04-09 13:53 ` Richard Guy Briggs
2019-04-09 14:08 ` Paul Moore
2019-04-09 13:46 ` Neil Horman
2019-04-09 3:39 ` [PATCH ghak90 V6 06/10] audit: add support for non-syscall auxiliary records Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 07/10] audit: add containerid support for user records Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 08/10] audit: add containerid filtering Richard Guy Briggs
2019-05-29 22:16 ` Paul Moore
2019-05-30 14:19 ` Richard Guy Briggs
2019-05-30 14:34 ` Paul Moore
2019-05-30 20:37 ` Richard Guy Briggs
2019-05-30 20:45 ` Paul Moore
2019-05-30 21:10 ` Richard Guy Briggs
2019-04-09 3:39 ` [PATCH ghak90 V6 09/10] audit: add support for containerid to network namespaces Richard Guy Briggs
2019-05-29 22:17 ` Paul Moore
2019-05-30 14:15 ` Richard Guy Briggs
2019-05-30 14:32 ` Paul Moore
2019-04-09 3:39 ` [PATCH ghak90 V6 10/10] audit: NETFILTER_PKT: record each container ID associated with a netNS Richard Guy Briggs
2019-04-11 11:31 ` [PATCH ghak90 V6 00/10] audit: implement container identifier Richard Guy Briggs
2019-04-22 11:38 ` Neil Horman
2019-04-22 13:49 ` Paul Moore
2019-04-23 10:28 ` Neil Horman
2019-05-28 21:53 ` Daniel Walsh
2019-05-28 22:25 ` Richard Guy Briggs
2019-05-28 22:26 ` Paul Moore
2019-05-28 23:00 ` Steve Grubb
2019-05-29 0:43 ` Richard Guy Briggs
2019-05-29 12:02 ` Daniel Walsh
2019-05-29 13:17 ` Paul Moore
2019-05-29 14:07 ` Daniel Walsh
2019-05-29 14:33 ` Paul Moore
2019-05-29 13:14 ` Paul Moore
2019-05-29 22:26 ` Paul Moore
2019-05-30 13:08 ` Steve Grubb
2019-05-30 13:35 ` Paul Moore
2019-05-30 14:08 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874l3ighvm.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=eparis@parisplace.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=simo@redhat.com \
--cc=tycho@tycho.ws \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).