lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ab56ac20-1d56-714c-eb54-9a43db496526@gmail.com>
Date:	Tue, 12 Jul 2016 08:54:41 +0000
From:	Topi Miettinen <toiwoton@...il.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	linux-kernel@...r.kernel.org, pmladek@...e.com, luto@...nel.org,
	serge@...lyn.com, keescook@...omium.org,
	Paul Moore <paul@...l-moore.com>,
	Eric Paris <eparis@...hat.com>, Tejun Heo <tj@...nel.org>,
	Li Zefan <lizefan@...wei.com>,
	Johannes Weiner <hannes@...xchg.org>,
	"moderated list:AUDIT SUBSYSTEM" <linux-audit@...hat.com>,
	"open list:CONTROL GROUP (CGROUP)" <cgroups@...r.kernel.org>,
	"open list:CAPABILITIES" <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH] capabilities: audit capability use

On 07/11/16 21:57, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton@...il.com> writes:
> 
>> There are many basic ways to control processes, including capabilities,
>> cgroups and resource limits. However, there are far fewer ways to find
>> out useful values for the limits, except blind trial and error.
>>
>> Currently, there is no way to know which capabilities are actually used.
>> Even the source code is only implicit, in-depth knowledge of each
>> capability must be used when analyzing a program to judge which
>> capabilities the program will exercise.
>>
>> Generate an audit message at system call exit, when capabilities are used.
>> This can then be used to configure capability sets for services by a
>> software developer, maintainer or system administrator.
>>
>> Test case demonstrating basic capability monitoring with the new
>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>> rdshell):
> 
> You totally miss the interactions with the user namespace so this won't
> give you the information you are aiming for.

Please correct me if this is not right:

There are two cases:
a) real capability use as seen outside the namespace
b) use of capabilities granted by the namespace
Both cases could be active independently.

For auditing purposes, we're  mostly interested in a) and log noise from
b) could be even seen a distraction.

For configuration purposes, both cases can be interesting, a) for the
configuration of  services and b) in case where the containerized
configuration is planned to be deployed outside. I'd still only log a).

The same logic should apply with cgroup namespaces.

-Topi

> 
> Eric
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ