On Tue, Oct 17, 2017 at 8:31 AM, Simo Sorce <simo@xxxxxxxxxx> wrote: > The container Id can be used also for authorization purposes (by other > processes on the host), not just audit, I think this is why a separate > control has been proposed. Apologies, but I'm just now getting a chance to work my way through this thread, and I wanted to make a quick comment on this point ... The audit container ID (note I said "audit container ID" not "container ID") is intended strictly for use by the audit subsystem at this point. Allowing other uses opens the door to a larger set of problems we are trying to avoid (e.g. handling migration across hosts). We would love to have a generic kernel facility that the audit subsystem could use to identify containers, but we don't, and previous attempts have failed, so we have to create our own. We are intentionally trying to limit its scope in an attempt to limit problems. If a more general solution appears in the future I think we would make every effect to migrate to that; keeping this initial effort small should make that easier. -- paul moore www.paul-moore.com