Re: [PATCH] capabilities: audit capability use

From: Eric W. Biederman
Date: Tue Jul 12 2016 - 09:29:30 EST

Next message: Lothar WaÃmann: "[PATCHv4 0/3] drm/imx: convey the pixelclk-active and de-active flags from DT to the ipu-di driver"
Previous message: Peter Zijlstra: "Re: [PATCH v2 00/13] sched: Clean-ups and asymmetric cpu capacity support"
In reply to: Topi Miettinen: "Re: [PATCH] capabilities: audit capability use"
Next in thread: Paul Moore: "Re: [PATCH] capabilities: audit capability use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Topi Miettinen <toiwoton@xxxxxxxxx> writes:

> On 07/11/16 21:57, Eric W. Biederman wrote:
>> Topi Miettinen <toiwoton@xxxxxxxxx> writes:
>>
>>> There are many basic ways to control processes, including capabilities,
>>> cgroups and resource limits. However, there are far fewer ways to find
>>> out useful values for the limits, except blind trial and error.
>>>
>>> Currently, there is no way to know which capabilities are actually used.
>>> Even the source code is only implicit, in-depth knowledge of each
>>> capability must be used when analyzing a program to judge which
>>> capabilities the program will exercise.
>>>
>>> Generate an audit message at system call exit, when capabilities are used.
>>> This can then be used to configure capability sets for services by a
>>> software developer, maintainer or system administrator.
>>>
>>> Test case demonstrating basic capability monitoring with the new
>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>> rdshell):
>>
>> You totally miss the interactions with the user namespace so this won't
>> give you the information you are aiming for.
>
> Please correct me if this is not right:
>
> There are two cases:
> a) real capability use as seen outside the namespace
> b) use of capabilities granted by the namespace
> Both cases could be active independently.
>
> For auditing purposes, we're mostly interested in a) and log noise from
> b) could be even seen a distraction.
>
> For configuration purposes, both cases can be interesting, a) for the
> configuration of services and b) in case where the containerized
> configuration is planned to be deployed outside. I'd still only log
> a).
>
>
> The same logic should apply with cgroup namespaces.

Not logging capabilities outside of the initial user namespace is
certainly the conservative place to start, and what selinux does.

You should also be logging capability use from cap_capable. Not
ns_capable. You are missing several kinds of capability use as
a quick review of kernel/capability.c should have shown you.

Eric

Next message: Lothar WaÃmann: "[PATCHv4 0/3] drm/imx: convey the pixelclk-active and de-active flags from DT to the ipu-di driver"
Previous message: Peter Zijlstra: "Re: [PATCH v2 00/13] sched: Clean-ups and asymmetric cpu capacity support"
In reply to: Topi Miettinen: "Re: [PATCH] capabilities: audit capability use"
Next in thread: Paul Moore: "Re: [PATCH] capabilities: audit capability use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]