Re: [PATCH] capabilities: audit capability use
From: Topi Miettinen
Date: Wed Jul 13 2016 - 03:31:46 EST
On 07/12/16 13:16, Eric W. Biederman wrote:
> Topi Miettinen <toiwoton@xxxxxxxxx> writes:
>
>> On 07/11/16 21:57, Eric W. Biederman wrote:
>>> Topi Miettinen <toiwoton@xxxxxxxxx> writes:
>>>
>>>> There are many basic ways to control processes, including capabilities,
>>>> cgroups and resource limits. However, there are far fewer ways to find
>>>> out useful values for the limits, except blind trial and error.
>>>>
>>>> Currently, there is no way to know which capabilities are actually used.
>>>> Even the source code is only implicit, in-depth knowledge of each
>>>> capability must be used when analyzing a program to judge which
>>>> capabilities the program will exercise.
>>>>
>>>> Generate an audit message at system call exit, when capabilities are used.
>>>> This can then be used to configure capability sets for services by a
>>>> software developer, maintainer or system administrator.
>>>>
>>>> Test case demonstrating basic capability monitoring with the new
>>>> message types 1330 and 1331 and how the cgroups are displayed (boot to
>>>> rdshell):
>>>
>>> You totally miss the interactions with the user namespace so this won't
>>> give you the information you are aiming for.
>>
>> Please correct me if this is not right:
>>
>> There are two cases:
>> a) real capability use as seen outside the namespace
>> b) use of capabilities granted by the namespace
>> Both cases could be active independently.
>>
>> For auditing purposes, we're mostly interested in a) and log noise from
>> b) could be even seen a distraction.
>>
>> For configuration purposes, both cases can be interesting, a) for the
>> configuration of services and b) in case where the containerized
>> configuration is planned to be deployed outside. I'd still only log
>> a).
>>
>>
>> The same logic should apply with cgroup namespaces.
>
> Not logging capabilities outside of the initial user namespace is
> certainly the conservative place to start, and what selinux does.
>
> You should also be logging capability use from cap_capable. Not
But cap_capable is not called from apparmor aa_capable or selinux
selinux_capable, how about security_capable()?
> ns_capable. You are missing several kinds of capability use as
> a quick review of kernel/capability.c should have shown you.
Right, sorry about that.
-Topi
>
> Eric
>