[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1982291.vr6V9CPzqu@x2>
Date: Tue, 17 Oct 2017 13:15:00 -0400
From: Steve Grubb <sgrubb@...hat.com>
To: Casey Schaufler <casey@...aufler-ca.com>
Cc: James Bottomley <James.Bottomley@...senpartnership.com>,
Simo Sorce <simo@...hat.com>, linux-audit@...hat.com,
mszeredi@...hat.com, trondmy@...marydata.com, jlayton@...hat.com,
Linux API <linux-api@...r.kernel.org>,
Linux Containers <containers@...ts.linux-foundation.org>,
Linux Kernel <linux-kernel@...r.kernel.org>,
David Howells <dhowells@...hat.com>,
Carlos O'Donell <carlos@...hat.com>, cgroups@...r.kernel.org,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Andy Lutomirski <luto@...nel.org>,
Linux Network Development <netdev@...r.kernel.org>,
Linux FS Devel <linux-fsdevel@...r.kernel.org>,
Eric Paris <eparis@...isplace.org>,
Al Viro <viro@...iv.linux.org.uk>
Subject: Re: RFC(v2): Audit Kernel Container IDs
On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote:
> > The idea is that processes spawned into a container would be labelled
> > by the container orchestration system. It's unclear what should happen
> > to processes using nsenter after the fact, but policy for that should
> > be up to the orchestration system.
>
> I'm fine with that. The user space policy can be anything y'all like.
I think there should be a login event.
> > The label will be used as a tag for audit information.
>
> Deep breath ...
>
> Which *is* a kernel security policy mechanism. Since the "label"
> is part of the audit information that the kernel is guaranteeing
> changing it would be covered by CAP_AUDIT_CONTROL. If the kernel
> does not use the "label" for any other purpose this is the only
> capability that makes sense for it.
I agree. The ability to set the container label grants the ability to evade
rules or modify audit rules. CAP_AUDIT_CONTROL makes sense to me.
> > I think you were missing label inheritance above.
> >
> > The security implications are that anything that can change the label
> > could also hide itself and its doings from the audit system and thus
> > would be used as a means to evade detection.
Yes. We have the same problem with loginuid. There are restrictions on who can
change it once set. And then we made an immutable flag so that people that
want a hard guarantee can get that.
-Steve
Powered by blists - more mailing lists