Re: [PATCH] capabilities: add capability cgroup controller

From: Serge E. Hallyn
Date: Fri Jun 24 2016 - 13:40:07 EST


Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
> "Serge E. Hallyn" <serge@xxxxxxxxxx> writes:
>
> > Quoting Tejun Heo (tj@xxxxxxxxxx):
> >> Hello,
> >>
> >> On Fri, Jun 24, 2016 at 10:59:16AM -0500, Serge E. Hallyn wrote:
> >> > Quoting Tejun Heo (tj@xxxxxxxxxx):
> >> > > But isn't being recursive orthogonal to using cgroup? Why not account
> >> > > usages recursively along the process hierarchy? Capabilities don't
> >> > > have much to do with cgroup but everything with process hierarchy.
> >> > > That's how they're distributed and modified. If monitoring their
> >> > > usages is necessary, it makes sense to do it in the same structure.
> >> >
> >> > That was my argument against using cgroups to enforce a new bounding
> >> > set. For tracking though, the cgroup process tracking seems as applicable
> >> > to this as it does to systemd tracking of services. It tracks a task and
> >> > the children it forks.
> >>
> >> Just monitoring is less jarring than implementing security enforcement
> >> via cgroup, but it is still jarring. What's wrong with recursive
> >> process hierarchy monitoring which is in line with the whole facility
> >> is implemented anyway?
> >
> > As I think Topi pointed out, one shortcoming is that if there is a short-lived
> > child task, using its /proc/self/status is racy. You might just miss that it
> > ever even existed, let alone that the "application" needed it.
> >
> > Another alternative we've both mentioned is to use systemtap. That's not
> > as nice a solution as a cgroup, but then again this isn't really a common
> > case, so maybe it is precisely what a tracing infrastructure is meant for.
>
> Hmm.
>
> We have capability use wired up into auditing. So we might be able to
> get away with just adding an appropriate audit message in
> commoncap.c:cap_capable that honors the audit flag and logs an audit
> message. The hook in selinux already appears to do that.
>
> Certainly audit sounds like the subsystem for this kind of work, as it's
> whole point in life is logging things, then something in userspace can
> just run over the audit longs and build a nice summary.

Good point, so long as we can also track ppid or fork info (using
taskstats?) that would seem the best way.