On Thu, Oct 24, 2019 at 6:08 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > On 2019-10-10 20:40, Paul Moore wrote: > > On Wed, Sep 18, 2019 at 9:26 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > > ?fixup! audit: convert to contid list to check for orch/engine ownership > > > > ? > > > > > Require the target task to be a descendant of the container > > > orchestrator/engine. > > > > > > You would only change the audit container ID from one set or inherited > > > value to another if you were nesting containers. > > > > > > If changing the contid, the container orchestrator/engine must be a > > > descendant and not same orchestrator as the one that set it so it is not > > > possible to change the contid of another orchestrator's container. > > > > Did you mean to say that the container orchestrator must be an > > ancestor of the target, and the same orchestrator as the one that set > > the target process' audit container ID? > > Not quite, the first half yes, but the second half: if it was already > set by that orchestrator, it can't be set again. If it is a different > orchestrator that is a descendant of the orchestrator that set it, then > allow the action. > > > Or maybe I'm missing something about what you are trying to do? > > Does that help clarify it? I think so, it's pretty much as you stated originally: "Require the target task to be a descendant of the container orchestrator/engine". It's possible I misread something in the patch, or got lost in all the ?fixup! patching. I'll take a closer look at the next revision of the patchset to make sure the code makes sense to me, but the logic seems reasonable. -- paul moore www.paul-moore.com _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers