On 07/12/16 13:16, Eric W. Biederman wrote: > Topi Miettinen <toiwoton@xxxxxxxxx> writes: > >> On 07/11/16 21:57, Eric W. Biederman wrote: >>> Topi Miettinen <toiwoton@xxxxxxxxx> writes: >>> >>>> There are many basic ways to control processes, including capabilities, >>>> cgroups and resource limits. However, there are far fewer ways to find >>>> out useful values for the limits, except blind trial and error. >>>> >>>> Currently, there is no way to know which capabilities are actually used. >>>> Even the source code is only implicit, in-depth knowledge of each >>>> capability must be used when analyzing a program to judge which >>>> capabilities the program will exercise. >>>> >>>> Generate an audit message at system call exit, when capabilities are used. >>>> This can then be used to configure capability sets for services by a >>>> software developer, maintainer or system administrator. >>>> >>>> Test case demonstrating basic capability monitoring with the new >>>> message types 1330 and 1331 and how the cgroups are displayed (boot to >>>> rdshell): >>> >>> You totally miss the interactions with the user namespace so this won't >>> give you the information you are aiming for. >> >> Please correct me if this is not right: >> >> There are two cases: >> a) real capability use as seen outside the namespace >> b) use of capabilities granted by the namespace >> Both cases could be active independently. >> >> For auditing purposes, we're mostly interested in a) and log noise from >> b) could be even seen a distraction. >> >> For configuration purposes, both cases can be interesting, a) for the >> configuration of services and b) in case where the containerized >> configuration is planned to be deployed outside. I'd still only log >> a). >> >> >> The same logic should apply with cgroup namespaces. > > Not logging capabilities outside of the initial user namespace is > certainly the conservative place to start, and what selinux does. > > You should also be logging capability use from cap_capable. Not But cap_capable is not called from apparmor aa_capable or selinux selinux_capable, how about security_capable()? > ns_capable. You are missing several kinds of capability use as > a quick review of kernel/capability.c should have shown you. Right, sorry about that. -Topi > > Eric > -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
