On Thursday, May 14, 2015 08:48:55 PM Richard Guy Briggs wrote: > On 15/05/14, Steve Grubb wrote: > > What they would want to know is what resources were assigned; if two > > containers shared a resource, what resource and container was it shared > > with; if two containers can communicate, we need to see or control > > information flow when necessary; and we need to see termination and > > release of resources. > > So, namespaces are a big part of this. I understand how they are > spawned and potentially shared. I have a more vague idea about how > cgroups contribute to this concept of a container. So far, I have very > little idea how seccomp contributes, but I assume that it will also need > to be part of this tracking. It doesn't, really. We shouldn't worry about seccomp from a namespace/container auditing perspective. The normal seccomp auditing should be sufficient for namespaces/containers. -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
