[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <d882bf1d-e00d-3722-5695-12f257a15224@gmail.com>
Date: Wed, 13 Jul 2016 07:30:18 +0000
From: Topi Miettinen <toiwoton@...il.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: linux-kernel@...r.kernel.org, pmladek@...e.com, luto@...nel.org,
serge@...lyn.com, keescook@...omium.org,
Paul Moore <paul@...l-moore.com>,
Eric Paris <eparis@...hat.com>, Tejun Heo <tj@...nel.org>,
Li Zefan <lizefan@...wei.com>,
Johannes Weiner <hannes@...xchg.org>,
"moderated list:AUDIT SUBSYSTEM" <linux-audit@...hat.com>,
"open list:CONTROL GROUP (CGROUP)" <cgroups@...r.kernel.org>,
"open list:CAPABILITIES" <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH] capabilities: audit capability use
On 07/12/16 13:16, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton@...il.com> writes:
>
>> On 07/11/16 21:57, Eric W. Biederman wrote:
>>> Topi Miettinen <toiwoton@...il.com> writes:
>>>
>>>> There are many basic ways to control processes, including capabilities,
>>>> cgroups and resource limits. However, there are far fewer ways to find
>>>> out useful values for the limits, except blind trial and error.
>>>>
>>>> Currently, there is no way to know which capabilities are actually used.
>>>> Even the source code is only implicit, in-depth knowledge of each
>>>> capability must be used when analyzing a program to judge which
>>>> capabilities the program will exercise.
>>>>
>>>> Generate an audit message at system call exit, when capabilities are used.
>>>> This can then be used to configure capability sets for services by a
>>>> software developer, maintainer or system administrator.
>>>>
>>>> Test case demonstrating basic capability monitoring with the new
>>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>>> rdshell):
>>>
>>> You totally miss the interactions with the user namespace so this won't
>>> give you the information you are aiming for.
>>
>> Please correct me if this is not right:
>>
>> There are two cases:
>> a) real capability use as seen outside the namespace
>> b) use of capabilities granted by the namespace
>> Both cases could be active independently.
>>
>> For auditing purposes, we're mostly interested in a) and log noise from
>> b) could be even seen a distraction.
>>
>> For configuration purposes, both cases can be interesting, a) for the
>> configuration of services and b) in case where the containerized
>> configuration is planned to be deployed outside. I'd still only log
>> a).
>>
>>
>> The same logic should apply with cgroup namespaces.
>
> Not logging capabilities outside of the initial user namespace is
> certainly the conservative place to start, and what selinux does.
>
> You should also be logging capability use from cap_capable. Not
But cap_capable is not called from apparmor aa_capable or selinux
selinux_capable, how about security_capable()?
> ns_capable. You are missing several kinds of capability use as
> a quick review of kernel/capability.c should have shown you.
Right, sorry about that.
-Topi
>
> Eric
>
Powered by blists - more mailing lists