lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 18 Oct 2017 15:58:13 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Simo Sorce <simo@...hat.com>
Cc:     Steve Grubb <sgrubb@...hat.com>, linux-audit@...hat.com,
        mszeredi@...hat.com, cgroups@...r.kernel.org, jlayton@...hat.com,
        Richard Guy Briggs <rgb@...hat.com>,
        Linux API <linux-api@...r.kernel.org>,
        Containers <containers@...ts.linux-foundation.org>,
        Linux FS Devel <linux-fsdevel@...r.kernel.org>,
        Linux Kernel <linux-kernel@...r.kernel.org>,
        Howells <dhowells@...hat.com>,
        "Carlos O'Donell" <carlos@...hat.com>,
        Linux Network Development <netdev@...r.kernel.org>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Lutomirski <luto@...nel.org>, Eric Paris <eparis@...isplace.org>,
        "Serge E. Hallyn" <serge@...lyn.com>, trondmy@...marydata.com,
        Al Viro <viro@...iv.linux.org.uk>
Subject: Re: RFC(v2): Audit Kernel Container IDs

On Tue, Oct 17, 2017 at 8:31 AM, Simo Sorce <simo@...hat.com> wrote:
> The container Id can be used also for authorization purposes (by other
> processes on the host), not just audit, I think this is why a separate
> control has been proposed.

Apologies, but I'm just now getting a chance to work my way through
this thread, and I wanted to make a quick comment on this point ...

The audit container ID (note I said "audit container ID" not
"container ID") is intended strictly for use by the audit subsystem at
this point.  Allowing other uses opens the door to a larger set of
problems we are trying to avoid (e.g. handling migration across
hosts).  We would love to have a generic kernel facility that the
audit subsystem could use to identify containers, but we don't, and
previous attempts have failed, so we have to create our own.  We are
intentionally trying to limit its scope in an attempt to limit
problems.  If a more general solution appears in the future I think we
would make every effect to migrate to that; keeping this initial
effort small should make that easier.

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ