On 2017-09-14 12:33, Eric W. Biederman wrote: > Richard Guy Briggs <rgb@xxxxxxxxxx> writes: > > > The trigger is a pseudo filesystem (proc, since PID tree already exists) > > write of a u64 representing the container ID to a file representing a > > process that will become the first process in a new container. > > This might place restrictions on mount namespaces required to define a > > container, or at least careful checking of namespaces in the kernel to > > verify permissions of the orchestrator so it can't change its own > > container ID. > > Why a u64? u32 will roll too quickly. UUID is large enough that it adds significantly to audit record bandwidth. I'd prefer u64, but can look at the difference of accommodating a UUID... > Why a proc filesystem write and not a magic audit message? A magic audit message requires CAP_AUDIT_WRITE, which we'd like to use sparingly. Given that orchestrators will already require it to send the mandatory AUDIT_VIRT_*, this doesn't seem like an unreasonable burden. I was originally leaning towards an audit message trigger or a syscall. > I don't like the fact that the proc filesystem entry is likely going to > be readable and abusable by non-audit contexts? This proposal wasn't going to start with that link being readable, but its filesystem structure and link names would be, perhaps giving away too much already. I think we will need to find a way for the orchestrator or one of its authorized agents to read this information while blocking reads from unauthorized agents, otherwise this would be of very limited use. > Why the ability to change the containerid? What is the use case you are > thinking of there? This was covered in the end of the conversation with Paul Moore (that maybe you got tired reading?) I'd originally proposed having it write once, but Paul figured there was no good reason to restrict it and leave that decision up to the orchestrator. The use case would be adding other processes to a container, but it could be argued all additional processes should be spawned by the first process in a container. > Eric - RGB -- Richard Guy Briggs <rgb@xxxxxxxxxx> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html