Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
From: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Date: Fri, 26 Oct 2018 01:09:16 -0700
Cc: luto@xxxxxxxxxx, rgb@xxxxxxxxxx, linux-api@xxxxxxxxxxxxxxx, containers@xxxxxxxxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, viro@xxxxxxxxxxxxxxxxxx, dhowells@xxxxxxxxxx, carlos@xxxxxxxxxx, linux-audit@xxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, ebiederm@xxxxxxxxxxxx, simo@xxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, linux-fsdevel@xxxxxxxxxxxxxxx, Eric Paris <eparis@xxxxxxxxxxxxxx>, Serge Hallyn <serge@xxxxxxxxxx>
In-reply-to: <20181025235527.15a39d75@ivy-bridge>
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 10/25/2018 2:55 PM, Steve Grubb wrote:
> ...
> And historically speaking setting audit loginuid produces a LOGIN
> event, so it only makes sense to consider binding container ID to
> container as a CONTAINER event. For other supplemental records, we name
> things what they are: PATH, CWD, SOCKADDR, etc. So, CONTAINER_ID makes
> sense. CONTAINER_OP sounds like its for operations on a container. Do
> we have any operations on a container?

The answer has to be "no", because containers are, by emphatic assertion,
not kernel constructs. Any CONTAINER_OP event has to come from user space.
I think.

Follow-Ups:
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore

References:
- [PATCH ghak90 (was ghak32) V4 00/10] audit: implement container identifier
  - From: Richard Guy Briggs
- [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Steve Grubb
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Steve Grubb
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Richard Guy Briggs
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Paul Moore
- Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
  - From: Steve Grubb

Prev by Date: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
Next by Date: [PATCH nf] Revert "netfilter: nft_numgen: add map lookups for numgen random operations"
Previous by thread: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
Next by thread: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
Index(es):
- Date
- Thread

[Index of Archives] [Netfitler Users] [LARTC] [Bugtraq] [Yosemite Forum]