On Tue, May 22, 2018 at 1:35 PM, Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > On 2018-05-21 16:06, Paul Moore wrote: >> On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: >> > Steve Grubb <sgrubb@xxxxxxxxxx> writes: >> >> On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote: >> >>> Add support for reading the container ID from the proc filesystem. >> >> >> >> I think this could be useful in general. Please consider this to be part of >> >> the full patch set and not something merely used to debug the patches. >> > >> > Only with an audit specific name. >> > >> > As it is: >> > >> > Nacked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> >> > >> > The truth is the containerid name really stinks and is quite confusing >> > and does not imply that the label applies only to audit. And little >> > things like this make me extremely uncofortable with it. >> >> It also makes the audit container ID (notice how I *always* call it >> the *audit* container ID? that is not an accident) available for >> userspace applications to abuse. Perhaps in the future we can look at >> ways to make this more available to applications, but this patch is >> not the answer. > > Do you have a productive suggestion? I haven't given it much thought beyond our discussions and until we get the basic audit container ID support in place (all the other parts of this patchset) I doubt I'll be giving it much thought. -- paul moore www.paul-moore.com
