| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 05 May 2015 11:16:56 -0400 From: Steve Grubb <sgrubb@...hat.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Richard Guy Briggs <rgb@...hat.com>, containers@...ts.linux-foundation.org, linux-kernel@...r.kernel.org, linux-audit@...hat.com, eparis@...isplace.org, pmoore@...hat.com, arozansk@...hat.com, serge@...lyn.com, zohar@...ux.vnet.ibm.com, viro@...iv.linux.org.uk, linux-fsdevel@...r.kernel.org, linux-api@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances On Tuesday, May 05, 2015 09:56:03 AM Eric W. Biederman wrote: > Steve Grubb <sgrubb@...hat.com> writes: > > The requirements for auditing of containers should be derived from VPP. In > > it, it asks for selectable auditing, selective audit, and selective audit > > review. What this means is that we need the container and all its > > children to have one identifier that is inserted into all the events that > > are associated with the container. > > That is technically impossible. Nested containers exist. OK, then lets talk about that, too. When something is 2 layers deep, the outside world cannot make sense of it. The inner one can be a loopback mounted file in the outer one. That means that I need the container itself to be responsible for events so that things are recorded using paths, uids, and pids that make sense to it. It can enrich the events and send them to the outer container. > That is when container G is nested in container F which is in turn > nested in container E which is in turn nested in container D which is in > turn nested in container C which is in turn nested in container B which > is nested in container A there is no one label you can put on audit > messages from container G which is the ``correct'' one. > > Or are you proposing that something in container G have labels > A B C D E F G included on every audit message? We need to have audit events to either be globally tagged so that the outside world understand what happening no matter how deep. Or we need each layer to be responsible for itself. This means having an audit rule match engine for each namespace like netfilter is to networking. > That introduces enough complexity in generating and parsing the messages I > wouldn't trust those messages as the least bug in generation and parsing > would be a security issue. That goes with the territory. > What is the world is VPP? Virtualization Protection Profile. Before people say it doesn't apply, it kind of does. It defines the necessary security mechanisms for either full blown virt like QEMU/Xen based or it gives enough wiggle room for containers and other types of VMs. Specifically, it defines the audit requirements needed for this kind of technology. > It sounds like something non-public thing. Certainly it has never been a > part of the public container discussion and as such it appears to be > completely ridiculous to bring up in a public discussion. No, its a public thing. Audit requirements start in section 5.2: https://www.niap-ccevs.org/pp/PP_SV_V1.0/ -Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists