On Sat, Jun 27, 2020 at 9:24 AM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > Provide a mechanism similar to CAP_AUDIT_CONTROL to explicitly give a > process in a non-init user namespace the capability to set audit > container identifiers of individual children. > > Provide the /proc/$PID/audit_capcontid interface to capcontid. > Valid values are: 1==enabled, 0==disabled > > Writing a "1" to this special file for the target process $PID will > enable the target process to set audit container identifiers of its > descendants. > > A process must already have CAP_AUDIT_CONTROL in the initial user > namespace or have had audit_capcontid enabled by a previous use of this > feature by its parent on this process in order to be able to enable it > for another process. The target process must be a descendant of the > calling process. > > Report this action in new message type AUDIT_SET_CAPCONTID 1022 with > fields opid= capcontid= old-capcontid= > > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> > --- > fs/proc/base.c | 57 +++++++++++++++++++++++++++++++++++++++++++++- > include/linux/audit.h | 14 ++++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 38 ++++++++++++++++++++++++++++++- > 4 files changed, 108 insertions(+), 2 deletions(-) This seems very similar to the capable/ns_capable combination I mentioned in patch 11/13; any reasons why you feel that this might be a better approach? My current thinking is that the capable/ns_capable approach is preferable as it leverages existing kernel mechanisms and doesn't require us to reinvent the wheel in the audit subsystem. -- paul moore www.paul-moore.com
