On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
>
> Track the parent container of a container to be able to filter and
> report nesting.
>
> Now that we have a way to track and check the parent container of a
> container, modify the contid field format to be able to report that
> nesting using a carrat ("^") modifier to indicate nesting. The
> original field format was "contid=<contid>" for task-associated records
> and "contid=<contid>[,<contid>[...]]" for network-namespace-associated
> records. The new field format is
> "contid=<contid>[,^<contid>[...]][,<contid>[...]]".
I feel like this is a case which could really benefit from an example
in the commit description showing multiple levels of nesting, with
some leaf audit container IDs at each level. This way we have a
canonical example for people who want to understand how to parse the
list and properly sort out the inheritance.
> Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> ---
> include/linux/audit.h | 1 +
> kernel/audit.c | 60 ++++++++++++++++++++++++++++++++++++++++++---------
> kernel/audit.h | 2 ++
> kernel/auditfilter.c | 17 ++++++++++++++-
> kernel/auditsc.c | 2 +-
> 5 files changed, 70 insertions(+), 12 deletions(-)
--
paul moore
www.paul-moore.com
