lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <878tx79et8.fsf@x220.int.ebiederm.org>
Date:	Tue, 12 Jul 2016 08:16:51 -0500
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Topi Miettinen <toiwoton@...il.com>
Cc:	linux-kernel@...r.kernel.org, pmladek@...e.com, luto@...nel.org,
	serge@...lyn.com, keescook@...omium.org,
	Paul Moore <paul@...l-moore.com>,
	Eric Paris <eparis@...hat.com>, Tejun Heo <tj@...nel.org>,
	Li Zefan <lizefan@...wei.com>,
	Johannes Weiner <hannes@...xchg.org>,
	"moderated list\:AUDIT SUBSYSTEM" <linux-audit@...hat.com>,
	"open list\:CONTROL GROUP \(CGROUP\)" <cgroups@...r.kernel.org>,
	"open list\:CAPABILITIES" <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH] capabilities: audit capability use

Topi Miettinen <toiwoton@...il.com> writes:

> On 07/11/16 21:57, Eric W. Biederman wrote:
>> Topi Miettinen <toiwoton@...il.com> writes:
>> 
>>> There are many basic ways to control processes, including capabilities,
>>> cgroups and resource limits. However, there are far fewer ways to find
>>> out useful values for the limits, except blind trial and error.
>>>
>>> Currently, there is no way to know which capabilities are actually used.
>>> Even the source code is only implicit, in-depth knowledge of each
>>> capability must be used when analyzing a program to judge which
>>> capabilities the program will exercise.
>>>
>>> Generate an audit message at system call exit, when capabilities are used.
>>> This can then be used to configure capability sets for services by a
>>> software developer, maintainer or system administrator.
>>>
>>> Test case demonstrating basic capability monitoring with the new
>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>> rdshell):
>> 
>> You totally miss the interactions with the user namespace so this won't
>> give you the information you are aiming for.
>
> Please correct me if this is not right:
>
> There are two cases:
> a) real capability use as seen outside the namespace
> b) use of capabilities granted by the namespace
> Both cases could be active independently.
>
> For auditing purposes, we're  mostly interested in a) and log noise from
> b) could be even seen a distraction.
>
> For configuration purposes, both cases can be interesting, a) for the
> configuration of  services and b) in case where the containerized
> configuration is planned to be deployed outside. I'd still only log
> a).
>
>
> The same logic should apply with cgroup namespaces.

Not logging capabilities outside of the initial user namespace is
certainly the conservative place to start, and what selinux does.

You should also be logging capability use from cap_capable.  Not
ns_capable.  You are missing several kinds of capability use as
a quick review of kernel/capability.c should have shown you.

Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ