| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 May 2015 22:03:57 -0400 From: Richard Guy Briggs <rgb@...hat.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Steve Grubb <sgrubb@...hat.com>, containers@...ts.linux-foundation.org, linux-kernel@...r.kernel.org, linux-audit@...hat.com, eparis@...isplace.org, pmoore@...hat.com, arozansk@...hat.com, serge@...lyn.com, zohar@...ux.vnet.ibm.com, viro@...iv.linux.org.uk, linux-fsdevel@...r.kernel.org, linux-api@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances On 15/05/14, Eric W. Biederman wrote: > Steve Grubb <sgrubb@...hat.com> writes: > > On Tuesday, May 12, 2015 03:57:59 PM Richard Guy Briggs wrote: > >> On 15/05/05, Steve Grubb wrote: > >> > I think there needs to be some more discussion around this. It seems like > >> > this is not exactly recording things that are useful for audit. > >> > >> It seems to me that either audit has to assemble that information, or > >> the kernel has to do so. The kernel doesn't know about containers > >> (yet?). > > > > Auditing is something that has a lot of requirements imposed on it by security > > standards. There was no requirement to have an auid until audit came along and > > said that uid is not good enough to know who is issuing commands because of su > > or sudo. There was no requirement for sessionid until we had to track each > > action back to a login so we could see if the login came from the expected > > place. > > Stop right there. > > You want a global identifier in a realm where only relative identifiers > exist, and make sense. I am assuming he wants an identifier unique per container on one kernel and what happens on other kernels is a matter for a management application to take care of. This kernel doesn't have to deal with it other than taking information from a container management application. > I am sorry that isn't going to happen. EVER. > > Square peg, round hole. It doesn't work, it doesn't make sense, and > most especially it doesn't allow anyone to reconstruct anything, because > it does not make sense and does not match what the kernel is doing. > > Container IDs do not, and will not exist. There is probably something > reasonable in your request but until you stop talking that nonsense I > can't see it. I didn't see anything in any of what Steve said that suggested it was to be unique beyond that one kernel. > Global IDs take us into the namespace of namespaces problem and that > isn't going to happen. I have already bent as far in this direction as > I can go. Further namespace creation is not a privileged event which > makes the requestion for a container ID make even less sense. With > anyone able to create whatever they want it will not be a identifier > that makes any sense to someone reading an audit log. Again, I assume this is up to a container management application that will manage its pool of container hosts and an audit aggregator. You keep raising an objection about the unworkability of a "namespace of namespaces". Just so we are all on the same page here, can you explain exactly what you mean with "namespace of namespaces"? > Eric - RGB -- Richard Guy Briggs <rbriggs@...hat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists