pcmoore
commented
7 years ago The last upstream patchset from April 2015:
Open pcmoore opened 7 years ago
pcmoore
commented
7 years ago The last upstream patchset from April 2015:
rgbriggs
commented
7 years ago This issue should be about making a decision between implementing a set of namespace IDs to report in audit records, or a container ID to report in audit records. Implementing namespace IDs to report in each record will consume audit record bandwidth and is likely to be more useful as an auxiliary record in the case of a syscall to avoid making existing records longer and to make them easier to ignore should that information not interest log reviewers. The last patch was v7 (not v6 as quoted above) that used the ns inode and incorporated the change from proc to nsfs.
The alternative is to develop a new container ID settable by a container manager process with a new capability (CAP_CONTAINERID_SET?) that would be stored in the task_struct, inheritable by the task's children.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1045666 Aristeu Rozanski first proposed an RFC of a set of namespace IDs 2013-03-18: https://www.redhat.com/archives/linux-audit/2013-March/msg00020.html (thread cont'd: https://www.redhat.com/archives/linux-audit/2013-March/msg00033.html https://www.redhat.com/archives/linux-audit/2014-January/msg00180.html) RGB: V1: https://www.redhat.com/archives/linux-audit/2013-July/msg00027.html omoris: https://www.redhat.com/archives/linux-audit/2013-December/msg00011.html v?: https://www.redhat.com/archives/linux-audit/2013-December/msg00112.html
tiran
commented
7 years ago I attended to @pcmoore's talk about namespaces and auditing at DevConf.CZ. A unique container id would solve several a problem we are facing in Custodia (https://github.com/latchset/custodia). Custodia is a technology for end-to-end key management, or simply speaking an API to request secrets from a service. For containers we use Unix sockets for both transport and authentication. Right now we are required to use horrible hacks to map a PID (SO_PEERSEC and SO_PEERCRED) to a container id (regexp on /proc/PID/cgroup), https://speakerdeck.com/tiran/pycon-2016-file-descriptors-unix-sockets-and-other-posix-magic?slide=53
A proper namespace identifier and something like getsockopt(SOL_SOCKET, SO_CONTAINERID) would make our approach both simpler and more secure.
rgbriggs
commented
7 years ago Thanks @tiran, I did happen to see your tech-talk last week, so I have an idea of which you speak, but will need to go back and have a closer look to understand the details. Thanks for the feedback.
tiran
commented
7 years ago thanks @rgbriggs I'm in Brno until the end of the week. Let's talk next week.
rgbriggs
commented
7 years ago @tiran If you can find a few moments to chat with @pcmoore while he is still there that might also be helpful.
tiran
commented
7 years ago @npmccallum suggested to add a syscall to retrieve a container id by syscall. The approach has some potential benefits and drawbacks. it's more general usable but requires the service to run in the same PID namespace or host PID namespace.
rgbriggs
commented
7 years ago Here's a patchset from David Howells that makes an attempt at a kernel container object that would be useful for our use case: https://lkml.org/lkml/2017/5/22/645 The LWN article reviewing it: https://lwn.net/Articles/723561/
rgbriggs
commented
7 years ago Posted Kernel Audit Container ID proposal upstream: https://www.redhat.com/archives/linux-audit/2017-September/msg00082.html https://lkml.org/lkml/2017/9/13/383
rgbriggs
commented
6 years ago 2017-10-12: Posted RFC(v2): Audit Kernel Container IDs https://lkml.org/lkml/2017/10/12/354 "non-Cc:" fork https://lkml.org/lkml/2017/10/17/689
rgbriggs
commented
6 years ago LWN coverage: https://lwn.net/Articles/740621/
rgbriggs
commented
6 years ago 2018-01-09: Posted RFC(v3): Audit Kernel Container IDs https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html https://lkml.org/lkml/2018/1/9/347
rgbriggs
commented
6 years ago 2018-03-01: Posted RFC v1 patchset upstream: https://lkml.org/lkml/2018/3/1/813 https://www.redhat.com/archives/linux-audit/2018-March/msg00004.html
rgbriggs
commented
6 years ago Posted RFC v1 userspace patch for auditctl containerid filter support: https://www.redhat.com/archives/linux-audit/2018-March/msg00030.html https://lkml.org/lkml/2018/3/5/82
rgbriggs
commented
6 years ago Posted v2 patchset upstream: https://www.redhat.com/archives/linux-audit/2018-March/msg00110.html https://lkml.org/lkml/2018/3/16/191
Posted v2 userspace patchset upstream: https://www.redhat.com/archives/linux-audit/2018-March/msg00124.html https://lkml.org/lkml/2018/3/16/210
rgbriggs
commented
6 years ago Split off the audit container identifier work into new issues, leaving this one for namespace identifiers:
rgbriggs
commented
6 years ago Added userspace support issue: https://github.com/linux-audit/audit-userspace/issues/59
The lack of namespace identifiers in audit records can make interpreting audit records difficult in some configurations. Pay special attention to the fact that this issue is about namespace identifiers and not container identifiers; while this work will help track activities associated with containers, ultimately it is the container engine which will need to create/assign/manage the container identifier.