On Wed, Mar 20, 2013 at 03:01:32PM -0400, Eric Paris wrote: > [veering away from this particular patch] > > We are also talking about adding a CAP_AUDIT_READ and sending messages > via multicast on the audit socket. The problem is I don't know how the > audit socket could work in the network namespace world. Right now > kauditd has: > > audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, &cfg); > > So there won't ever be anything on the kernel side of the audit socket > in a non-init network namespace. Lets say that is fixed somehow (I > assume it's possible? something? magic pixies?) I think we'd somehow > need to do the CAP_AUDIT_READ check against the user namespace > associated with the network namespace in question? But what messages > should go to this userspace auditd? > > Going to have to have audit namespaces to. But only CAP_AUDIT_READ > would make sense in the new audit namespace... I guess that could be achieved by forcing creating a new network namespace at the same time you create a new audit namespace. any new network namespace created inside this new container would lose CAP_AUDIT_*. -- Aristeu _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
