On Tue, Mar 19, 2013 at 05:00:50PM -0700, Eric W. Biederman wrote: > It is always possible to pick the instance of /proc connected to the > initial pid namespace. And there is a device number you can use to say > that. I wasn't aware of that, I'll take a look, thanks! > The reasons were simply that to my knowledge no one has thought through > how audit records and namespaces make sense to interact. > > My expectation would be that an extention of audit records would be > logged on a per container basis. But I don't have any motivating > examples. from what I've heard, there're two possibilites here: if a container is understood to be "light virtualization", it should behave just like another machine by having its own auditd daemon, sending records over the network to the host. If that's not the case, a single auditd must be present. But, the fact that you might want to run a sshd server inside a container it might be desirable to have USER_AUTH records for example. > I though you would have taken the time to run it at least once, or to > perhaps have manually edited your example to see how things would fit > together. I did run it with different namespaces but not with userns. The example was to show how the extra record would look like and I randomly picked one. The idea is that auditd will know which namespaces are the original ones and can use that to filter containers' records, which could be filtered out by default. > What was really missing from your RFC is a motivating example. I sort > of see that in your paragraph above but it isn't clear to me. > > What is lost by not allowing USER audit records from processes in > containers? What is gained by implementing user process to have them? > And of course what are your thoughts on preventing unprivileged users > overwhelming the audit subsystem. This is a bit fuzzy to me, perhaps due I'm not fully understanding userns implementation yet, so bear with me: I thought of changing so userns would not grant CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL unless the process already has it (i.e. it'd require to be root on the init_ns). The 'init' process would start trusted daemons with those capabilities then drop the capabilities for everything else. Does it make sense? -- Aristeu _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers