On Mon, Jul 8, 2019 at 1:51 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > On 2019-05-29 11:29, Paul Moore wrote: ... > > The idea is that only container orchestrators should be able to > > set/modify the audit container ID, and since setting the audit > > container ID can have a significant effect on the records captured > > (and their routing to multiple daemons when we get there) modifying > > the audit container ID is akin to modifying the audit configuration > > which is why it is gated by CAP_AUDIT_CONTROL. The current thinking > > is that you would only change the audit container ID from one > > set/inherited value to another if you were nesting containers, in > > which case the nested container orchestrator would need to be granted > > CAP_AUDIT_CONTROL (which everyone to date seems to agree is a workable > > compromise). We did consider allowing for a chain of nested audit > > container IDs, but the implications of doing so are significant > > (implementation mess, runtime cost, etc.) so we are leaving that out > > of this effort. > > We had previously discussed the idea of restricting > orchestrators/engines from only being able to set the audit container > identifier on their own descendants, but it was discarded. I've added a > check to ensure this is now enforced. When we weren't allowing nested orchestrators it wasn't necessary, but with the move to support nesting I believe this will be a requirement. We might also need/want to restrict audit container ID changes if a descendant is acting as a container orchestrator and managing one or more audit container IDs; although I'm less certain of the need for this. > I've also added a check to ensure that a process can't set its own audit > container identifier ... What does this protect against, or what problem does this solve? Considering how easy it is to fork/exec, it seems like this could be trivially bypassed. > ... and that if the identifier is already set, then the > orchestrator/engine must be in a descendant user namespace from the > orchestrator that set the previously inherited audit container > identifier. You lost me here ... although I don't like the idea of relying on X namespace inheritance for a hard coded policy on setting the audit container ID; we've worked hard to keep this independent of any definition of a "container" and it would sadden me greatly if we had to go back on that. -- paul moore www.paul-moore.com
