From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>, Tejun Heo <tj@kernel.org>,
Topi Miettinen <toiwoton@gmail.com>,
linux-kernel@vger.kernel.org, luto@kernel.org,
keescook@chromium.org, Jonathan Corbet <corbet@lwn.net>,
Li Zefan <lizefan@huawei.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
James Morris <james.l.morris@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
David Woodhouse <David.Woodhouse@intel.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Petr Mladek <pmladek@suse.com>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
"open list:CONTROL GROUP (CGROUP)" <cgroups@vger.kernel.org>,
"open list:CAPABILITIES" <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH] capabilities: add capability cgroup controller
Date: Fri, 24 Jun 2016 12:39:56 -0500 [thread overview]
Message-ID: <20160624173956.GA10364@mail.hallyn.com> (raw)
In-Reply-To: <87mvmaa4f6.fsf@x220.int.ebiederm.org>
Quoting Eric W. Biederman (ebiederm@xmission.com):
> "Serge E. Hallyn" <serge@hallyn.com> writes:
>
> > Quoting Tejun Heo (tj@kernel.org):
> >> Hello,
> >>
> >> On Fri, Jun 24, 2016 at 10:59:16AM -0500, Serge E. Hallyn wrote:
> >> > Quoting Tejun Heo (tj@kernel.org):
> >> > > But isn't being recursive orthogonal to using cgroup? Why not account
> >> > > usages recursively along the process hierarchy? Capabilities don't
> >> > > have much to do with cgroup but everything with process hierarchy.
> >> > > That's how they're distributed and modified. If monitoring their
> >> > > usages is necessary, it makes sense to do it in the same structure.
> >> >
> >> > That was my argument against using cgroups to enforce a new bounding
> >> > set. For tracking though, the cgroup process tracking seems as applicable
> >> > to this as it does to systemd tracking of services. It tracks a task and
> >> > the children it forks.
> >>
> >> Just monitoring is less jarring than implementing security enforcement
> >> via cgroup, but it is still jarring. What's wrong with recursive
> >> process hierarchy monitoring which is in line with the whole facility
> >> is implemented anyway?
> >
> > As I think Topi pointed out, one shortcoming is that if there is a short-lived
> > child task, using its /proc/self/status is racy. You might just miss that it
> > ever even existed, let alone that the "application" needed it.
> >
> > Another alternative we've both mentioned is to use systemtap. That's not
> > as nice a solution as a cgroup, but then again this isn't really a common
> > case, so maybe it is precisely what a tracing infrastructure is meant for.
>
> Hmm.
>
> We have capability use wired up into auditing. So we might be able to
> get away with just adding an appropriate audit message in
> commoncap.c:cap_capable that honors the audit flag and logs an audit
> message. The hook in selinux already appears to do that.
>
> Certainly audit sounds like the subsystem for this kind of work, as it's
> whole point in life is logging things, then something in userspace can
> just run over the audit longs and build a nice summary.
Good point, so long as we can also track ppid or fork info (using
taskstats?) that would seem the best way.
next prev parent reply other threads:[~2016-06-24 17:40 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-23 15:07 [PATCH] capabilities: add capability cgroup controller Topi Miettinen
2016-06-23 21:03 ` Kees Cook
2016-06-23 21:38 ` Tejun Heo
2016-06-24 0:22 ` Topi Miettinen
2016-06-24 15:48 ` Tejun Heo
2016-06-24 15:59 ` Serge E. Hallyn
2016-06-24 16:35 ` Tejun Heo
2016-06-24 16:59 ` Serge E. Hallyn
2016-06-24 17:21 ` Eric W. Biederman
2016-06-24 17:39 ` Serge E. Hallyn [this message]
2016-06-26 19:03 ` Topi Miettinen
2016-06-28 4:57 ` Eric W. Biederman
2016-07-02 11:20 ` Topi Miettinen
2016-06-24 17:24 ` Tejun Heo
2016-06-26 19:14 ` Topi Miettinen
2016-06-26 22:26 ` Tejun Heo
2016-06-27 14:54 ` Serge E. Hallyn
2016-06-27 19:10 ` Topi Miettinen
2016-06-27 19:17 ` Tejun Heo
2016-06-27 19:49 ` Serge E. Hallyn
2016-07-03 15:08 ` Topi Miettinen
2016-07-03 16:13 ` [PATCH] capabilities: audit capability use kbuild test robot
2016-07-07 9:16 ` [PATCH] capabilities: add capability cgroup controller Petr Mladek
2016-07-07 20:27 ` Topi Miettinen
2016-07-08 9:13 ` Petr Mladek
2016-07-09 16:38 ` Topi Miettinen
2016-07-10 9:04 ` Topi Miettinen
2016-06-23 23:46 ` Andrew Morton
2016-06-24 1:14 ` Topi Miettinen
2016-06-24 4:15 ` Andy Lutomirski
2016-06-25 18:00 ` Djalal Harouni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160624173956.GA10364@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=David.Woodhouse@intel.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=cgroups@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=hannes@cmpxchg.org \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=luto@kernel.org \
--cc=paulmck@linux.vnet.ibm.com \
--cc=pmladek@suse.com \
--cc=serge.hallyn@canonical.com \
--cc=tj@kernel.org \
--cc=toiwoton@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).