[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <878tx79et8.fsf@x220.int.ebiederm.org>
Date: Tue, 12 Jul 2016 08:16:51 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Topi Miettinen <toiwoton@...il.com>
Cc: linux-kernel@...r.kernel.org, pmladek@...e.com, luto@...nel.org,
serge@...lyn.com, keescook@...omium.org,
Paul Moore <paul@...l-moore.com>,
Eric Paris <eparis@...hat.com>, Tejun Heo <tj@...nel.org>,
Li Zefan <lizefan@...wei.com>,
Johannes Weiner <hannes@...xchg.org>,
"moderated list\:AUDIT SUBSYSTEM" <linux-audit@...hat.com>,
"open list\:CONTROL GROUP \(CGROUP\)" <cgroups@...r.kernel.org>,
"open list\:CAPABILITIES" <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH] capabilities: audit capability use
Topi Miettinen <toiwoton@...il.com> writes:
> On 07/11/16 21:57, Eric W. Biederman wrote:
>> Topi Miettinen <toiwoton@...il.com> writes:
>>
>>> There are many basic ways to control processes, including capabilities,
>>> cgroups and resource limits. However, there are far fewer ways to find
>>> out useful values for the limits, except blind trial and error.
>>>
>>> Currently, there is no way to know which capabilities are actually used.
>>> Even the source code is only implicit, in-depth knowledge of each
>>> capability must be used when analyzing a program to judge which
>>> capabilities the program will exercise.
>>>
>>> Generate an audit message at system call exit, when capabilities are used.
>>> This can then be used to configure capability sets for services by a
>>> software developer, maintainer or system administrator.
>>>
>>> Test case demonstrating basic capability monitoring with the new
>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>> rdshell):
>>
>> You totally miss the interactions with the user namespace so this won't
>> give you the information you are aiming for.
>
> Please correct me if this is not right:
>
> There are two cases:
> a) real capability use as seen outside the namespace
> b) use of capabilities granted by the namespace
> Both cases could be active independently.
>
> For auditing purposes, we're mostly interested in a) and log noise from
> b) could be even seen a distraction.
>
> For configuration purposes, both cases can be interesting, a) for the
> configuration of services and b) in case where the containerized
> configuration is planned to be deployed outside. I'd still only log
> a).
>
>
> The same logic should apply with cgroup namespaces.
Not logging capabilities outside of the initial user namespace is
certainly the conservative place to start, and what selinux does.
You should also be logging capability use from cap_capable. Not
ns_capable. You are missing several kinds of capability use as
a quick review of kernel/capability.c should have shown you.
Eric
Powered by blists - more mailing lists