From: Daniel Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, Tejun Heo <tj@kernel.org>
Cc: Ondrej Mosnacek <omosnace@redhat.com>,
selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org
Subject: Re: [PATCH 0/3] Allow initializing the kernfs node's secctx based on its parent
Date: Thu, 17 Jan 2019 15:30:39 -0500 [thread overview]
Message-ID: <2ad98c79-c51b-d8a0-01cc-8e8c7ca8fb53@redhat.com> (raw)
In-Reply-To: <46abb960-f047-c2eb-96a8-72114cc44c86@tycho.nsa.gov>
On 1/17/19 11:39 AM, Stephen Smalley wrote:
> On 1/17/19 11:15 AM, Tejun Heo wrote:
>> Hello,
>>
>> On Thu, Jan 17, 2019 at 10:01:23AM -0500, Daniel Walsh wrote:
>>> The above comment is correct. We want to be able to run a container
>>> where we hand it control over a limited subdir of the cgroups hierachy.
>>> We can currently do this and label the content correctly, but when
>>> subdirs of the directory get created by processes inside the container
>>> they do not get the correct label. For example we add a label like
>>> system_u:object_r:container_file_t:s0 to a directory but when the
>>> process inside of the container creates a fd within this directory the
>>> kernel says the label is the default label for cgroups
>>> system_u:object_r:cgroup_t:s0. This forces us to write looser policy
>>> that from an SELinux point of view allows a process within the
>>> container
>>> to write anywhere on the cgroup file system, rather then just the
>>> designated directories.
>>
>> Can you please go into a bit more details on why the existing
>> cgroup delegation model isn't enough?
>
> I would hazard a guess that it is because the existing cgroup
> delegation model is based on user IDs and discretionary access control
> (DAC), whereas they are using per-container SELinux security contexts
> and mandatory access control (MAC) to enforce the separation of
> containers irrespective of UID and DAC. Optimally both would be
> supported by cgroup, as DAC and MAC have different properties and use
> cases.
As Steven said, existing model is DAC. We have the situation where we
have a "root" process running within a container that is not using User
Namespace. I want to control that that root process can not write to
anywhere within the cgroup hierarchy based on SELinux controls. This
is security in depth. If other mechanisms prevent the process from
writing to other places in cgroups that is great, but I want it also
secured from a MAC Point of view.
next prev parent reply other threads:[~2019-01-17 20:30 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-09 9:10 [PATCH 0/3] Allow initializing the kernfs node's secctx based on its parent Ondrej Mosnacek
2019-01-09 9:10 ` [PATCH 1/3] LSM: Add new hook for generic node initialization Ondrej Mosnacek
2019-01-09 14:35 ` Stephen Smalley
2019-01-09 16:06 ` Ondrej Mosnacek
2019-01-09 16:06 ` Ondrej Mosnacek
2019-01-09 9:10 ` [PATCH 2/3] selinux: Implement the object_init_security hook Ondrej Mosnacek
2019-01-09 14:40 ` Stephen Smalley
2019-01-11 1:58 ` Paul Moore
2019-01-09 9:10 ` [PATCH 3/3] kernfs: Initialize security of newly created nodes Ondrej Mosnacek
2019-01-09 15:44 ` Stephen Smalley
2019-01-11 2:08 ` Paul Moore
2019-01-11 20:50 ` [PATCH 0/3] Allow initializing the kernfs node's secctx based on its parent Tejun Heo
2019-01-14 9:14 ` Ondrej Mosnacek
2019-01-14 9:29 ` Ondrej Mosnacek
[not found] ` <64977013-e2a5-809d-7a3f-bffbda9276aa@redhat.com>
2019-01-17 16:15 ` Tejun Heo
2019-01-17 16:39 ` Stephen Smalley
2019-01-17 20:30 ` Daniel Walsh [this message]
2019-01-17 20:35 ` Daniel Walsh
2019-01-14 15:50 ` Tejun Heo
2019-01-15 14:36 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2ad98c79-c51b-d8a0-01cc-8e8c7ca8fb53@redhat.com \
--to=dwalsh@redhat.com \
--cc=cgroups@vger.kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).