Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Steve Grubb <sgrubb@xxxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>
Subject: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
From: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Date: Fri, 26 Oct 2018 01:09:16 -0700
Cc: luto@xxxxxxxxxx, rgb@xxxxxxxxxx, linux-api@xxxxxxxxxxxxxxx, containers@xxxxxxxxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, viro@xxxxxxxxxxxxxxxxxx, dhowells@xxxxxxxxxx, carlos@xxxxxxxxxx, linux-audit@xxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, ebiederm@xxxxxxxxxxxx, simo@xxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, linux-fsdevel@xxxxxxxxxxxxxxx, Eric Paris <eparis@xxxxxxxxxxxxxx>, Serge Hallyn <serge@xxxxxxxxxx>
In-reply-to: <20181025235527.15a39d75@ivy-bridge>
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 10/25/2018 2:55 PM, Steve Grubb wrote:
> ...
> And historically speaking setting audit loginuid produces a LOGIN
> event, so it only makes sense to consider binding container ID to
> container as a CONTAINER event. For other supplemental records, we name
> things what they are: PATH, CWD, SOCKADDR, etc. So, CONTAINER_ID makes
> sense. CONTAINER_OP sounds like its for operations on a container. Do
> we have any operations on a container?

The answer has to be "no", because containers are, by emphatic assertion,
not kernel constructs. Any CONTAINER_OP event has to come from user space.
I think.

Follow-Ups:
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore

References:
- [PATCH ghak90 (was ghak32) V4 00/10] audit: implement container identifier
  - From: Richard Guy Briggs
- [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Steve Grubb
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Steve Grubb
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Steve Grubb

Prev by Date: Re: [PATCH v2] mnt: fix __detach_mounts infinite loop
Next by Date: Re: [PATCH] direct-io: allow direct writes to empty inodes
Previous by thread: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
Next by thread: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
Index(es):
- Date
- Thread

[Index of Archives] [Linux Ext4 Filesystem] [Union Filesystem] [Filesystem Testing] [Ceph Users] [Ecryptfs] [AutoFS] [Kernel Newbies] [Share Photos] [Security] [Netfilter] [Bugtraq] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux Cachefs] [Reiser Filesystem] [Linux RAID] [Samba] [Device Mapper] [CEPH Development]