RFC(v2): Audit Kernel Container IDs
Aleksa Sarai
asarai at suse.de
Thu Oct 19 23:15:25 UTC 2017
>>>> The registration is a pseudo filesystem (proc, since PID tree already
>>>> exists) write of a u8[16] UUID representing the container ID to a file
>>>> representing a process that will become the first process in a new
>>>> container. This write might place restrictions on mount namespaces
>>>> required to define a container, or at least careful checking of
>>>> namespaces in the kernel to verify permissions of the orchestrator
>>>> so it
>>>> can't change its own container ID. A bind mount of nsfs may be
>>>> necessary in the container orchestrator's mntNS.
>>>> Note: Use a 128-bit scalar rather than a string to make compares faster
>>>> and simpler.
>>>>
>>>> Require a new CAP_CONTAINER_ADMIN to be able to carry out the
>>>> registration.
>>>
>>> Wouldn't CAP_AUDIT_WRITE be sufficient? After all, this is for auditing.
>>
>> No, because then any process with that capability (vsftpd) could change
>> its own container ID. This is discussed more in other parts of the
>> thread...
>
> Not if we make the container ID append-only (to support nesting), or
> write-once (the other idea thrown around). In that case, you can't move
> "out" from a particular container ID, you can only go "deeper". These
> semantics don't make sense for generic containers, but since the point
> of this facility is *specifically* for audit I imagine that not being
> able to move a process from a sub-container's ID is a benefit.
[This assumes it's CAP_AUDIT_CONTROL which is what we are discussing in
a sister thread.]
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
More information about the Linux-audit
mailing list