[PATCH V6 05/10] audit: log creation and deletion of namespace instances

Steve Grubb sgrubb at redhat.com
Tue May 5 15:16:56 UTC 2015


On Tuesday, May 05, 2015 09:56:03 AM Eric W. Biederman wrote:
> Steve Grubb <sgrubb at redhat.com> writes:
> > The requirements for auditing of containers should be derived from VPP. In
> > it, it asks for selectable auditing, selective audit, and selective audit
> > review. What this means is that we need the container and all its
> > children to have one identifier that is inserted into all the events that
> > are associated with the container.
> 
> That is technically impossible.  Nested containers exist.

OK, then lets talk about that, too. When something is 2 layers deep, the 
outside world cannot make sense of it. The inner one can be a loopback mounted 
file in the outer one. That means that I need the container itself to be 
responsible for events so that things are recorded using paths, uids, and pids 
that make sense to it. It can enrich the events and send them to the outer 
container.


> That is when container G is nested in container F which is in turn
> nested in container E which is in turn nested in container D which is in
> turn nested in container C which is in turn nested in container B which
> is nested in container A there is no one label you can put on audit
> messages from container G which is the ``correct'' one.
> 
> Or are you proposing that something in container G have labels
> A B C D E F G included on every audit message?

We need to have audit events to either be globally tagged so that the outside 
world understand what happening no matter how deep. Or we need each layer to 
be responsible for itself. This means having an audit rule match engine for 
each namespace like netfilter is to networking.


> That introduces enough complexity in generating and parsing the messages I
> wouldn't trust those messages as the least bug in generation and parsing
> would be a security issue.

That goes with the territory.


> What is the world is VPP?

Virtualization Protection Profile. Before people say it doesn't apply, it kind 
of does. It defines the necessary security mechanisms for either full blown 
virt like QEMU/Xen based or it gives enough wiggle room for containers and 
other types of VMs. Specifically, it defines the audit requirements needed for 
this kind of technology.


> It sounds like something non-public thing. Certainly it has never been a
> part of the public container discussion and as such it appears to be
> completely ridiculous to bring up in a public discussion.

No, its a public thing. Audit requirements start in section 5.2:

https://www.niap-ccevs.org/pp/PP_SV_V1.0/

-Steve


More information about the Containers mailing list