PID's Mapping

PID's Mapping

[sowndarya kumar]

[-- Attachment #1.1: Type: text/plain, Size: 197 bytes --]

Hi

Is there any way to map the PID's seen in the namespace application with
the PID's seen in global?
If it can be done please provide the documentation or idea on how it can be
done.


-Krithika

[-- Attachment #1.2: Type: text/html, Size: 299 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PID's Mapping

[Paul Moore]

On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
<sowndarya.nadar@gmail.com> wrote:
> Hi
>
> Is there any way to map the PID's seen in the namespace application with the
> PID's seen in global?
> If it can be done please provide the documentation or idea on how it can be
> done.

In general the audit subsystem doesn't pay attention to namespaces,
all PIDs reported to userspace are reported with respect to the init
namespace.

-- 
paul moore
www.paul-moore.com

Re: PID's Mapping

[Krithika Nadar]

[-- Attachment #1.1: Type: text/plain, Size: 653 bytes --]

Is there any way that can be suggested as to map PID's of namespace in
global?

On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com> wrote:

> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> <sowndarya.nadar@gmail.com> wrote:
> > Hi
> >
> > Is there any way to map the PID's seen in the namespace application with
> the
> > PID's seen in global?
> > If it can be done please provide the documentation or idea on how it can
> be
> > done.
>
> In general the audit subsystem doesn't pay attention to namespaces,
> all PIDs reported to userspace are reported with respect to the init
> namespace.
>
> --
> paul moore
> www.paul-moore.com
>

[-- Attachment #1.2: Type: text/html, Size: 1230 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PID's Mapping

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 1206 bytes --]

Is there any way that can be suggested as to map PID's of namespace in
global?


On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com> wrote:

> Please ask your question on the mailing list so that everyone can benefit.
>
> On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> <sundar.deepika18@gmail.com> wrote:
> > How it can be achieved ,Can I get any idea on this?
> >
> > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com> wrote:
> >>
> >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> >> <sowndarya.nadar@gmail.com> wrote:
> >> > Hi
> >> >
> >> > Is there any way to map the PID's seen in the namespace application
> with
> >> > the
> >> > PID's seen in global?
> >> > If it can be done please provide the documentation or idea on how it
> can
> >> > be
> >> > done.
> >>
> >> In general the audit subsystem doesn't pay attention to namespaces,
> >> all PIDs reported to userspace are reported with respect to the init
> >> namespace.
> >>
> >> --
> >> paul moore
> >> www.paul-moore.com
> >>
> >> --
> >> Linux-audit mailing list
> >> Linux-audit@redhat.com
> >> https://www.redhat.com/mailman/listinfo/linux-audit
> >
> >
>
>
>
> --
> paul moore
> www.paul-moore.com
>

[-- Attachment #1.2: Type: text/html, Size: 2422 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PID's Mapping

[Steve Grubb]

On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> Is there any way that can be suggested as to map PID's of namespace in
> global?

This is on the TODO list. We have been kicking around several ideas but have 
not come to a conclusion about what exactly needs to be done. The upshot of 
this is that basically containers have no support.

-Steve


> On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com> wrote:
> > Please ask your question on the mailing list so that everyone can benefit.
> > 
> > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> > 
> > <sundar.deepika18@gmail.com> wrote:
> > > How it can be achieved ,Can I get any idea on this?
> > > 
> > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com> wrote:
> > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> > >> 
> > >> <sowndarya.nadar@gmail.com> wrote:
> > >> > Hi
> > >> > 
> > >> > Is there any way to map the PID's seen in the namespace application
> > 
> > with
> > 
> > >> > the
> > >> > PID's seen in global?
> > >> > If it can be done please provide the documentation or idea on how it
> > 
> > can
> > 
> > >> > be
> > >> > done.
> > >> 
> > >> In general the audit subsystem doesn't pay attention to namespaces,
> > >> all PIDs reported to userspace are reported with respect to the init
> > >> namespace.
> > >> 
> > >> --
> > >> paul moore
> > >> www.paul-moore.com
> > >> 
> > >> --
> > >> Linux-audit mailing list
> > >> Linux-audit@redhat.com
> > >> https://www.redhat.com/mailman/listinfo/linux-audit
> > 
> > --
> > paul moore
> > www.paul-moore.com

Fwd: PID's Mapping

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 2156 bytes --]

---------- Forwarded message ----------
From: Deepika Sundar <sundar.deepika18@gmail.com>
Date: Mon, Apr 25, 2016 at 12:22 PM
Subject: Re: PID's Mapping
To: Steve Grubb <sgrubb@redhat.com>


Yeah.
When the PID's which are in the namespace application has different PID
compared to Global PID.There would be some means to  map the PID's in the
kernel level.Can anyone suggest How it can be mapped?

On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> > Is there any way that can be suggested as to map PID's of namespace in
> > global?
>
> This is on the TODO list. We have been kicking around several ideas but
> have
> not come to a conclusion about what exactly needs to be done. The upshot of
> this is that basically containers have no support.
>
> -Steve
>
>
> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com> wrote:
> > > Please ask your question on the mailing list so that everyone can
> benefit.
> > >
> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> > >
> > > <sundar.deepika18@gmail.com> wrote:
> > > > How it can be achieved ,Can I get any idea on this?
> > > >
> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
> wrote:
> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> > > >>
> > > >> <sowndarya.nadar@gmail.com> wrote:
> > > >> > Hi
> > > >> >
> > > >> > Is there any way to map the PID's seen in the namespace
> application
> > >
> > > with
> > >
> > > >> > the
> > > >> > PID's seen in global?
> > > >> > If it can be done please provide the documentation or idea on how
> it
> > >
> > > can
> > >
> > > >> > be
> > > >> > done.
> > > >>
> > > >> In general the audit subsystem doesn't pay attention to namespaces,
> > > >> all PIDs reported to userspace are reported with respect to the init
> > > >> namespace.
> > > >>
> > > >> --
> > > >> paul moore
> > > >> www.paul-moore.com
> > > >>
> > > >> --
> > > >> Linux-audit mailing list
> > > >> Linux-audit@redhat.com
> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> > >
> > > --
> > > paul moore
> > > www.paul-moore.com
>
>

[-- Attachment #1.2: Type: text/html, Size: 4015 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PID's Mapping

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 1965 bytes --]

Yeah.
When the PID's which are in the namespace application has different PID
compared to Global PID.There would be some means to  map the PID's in the
kernel level.Can anyone suggest How it can be mapped?

On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> > Is there any way that can be suggested as to map PID's of namespace in
> > global?
>
> This is on the TODO list. We have been kicking around several ideas but
> have
> not come to a conclusion about what exactly needs to be done. The upshot of
> this is that basically containers have no support.
>
> -Steve
>
>
> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com> wrote:
> > > Please ask your question on the mailing list so that everyone can
> benefit.
> > >
> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> > >
> > > <sundar.deepika18@gmail.com> wrote:
> > > > How it can be achieved ,Can I get any idea on this?
> > > >
> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
> wrote:
> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> > > >>
> > > >> <sowndarya.nadar@gmail.com> wrote:
> > > >> > Hi
> > > >> >
> > > >> > Is there any way to map the PID's seen in the namespace
> application
> > >
> > > with
> > >
> > > >> > the
> > > >> > PID's seen in global?
> > > >> > If it can be done please provide the documentation or idea on how
> it
> > >
> > > can
> > >
> > > >> > be
> > > >> > done.
> > > >>
> > > >> In general the audit subsystem doesn't pay attention to namespaces,
> > > >> all PIDs reported to userspace are reported with respect to the init
> > > >> namespace.
> > > >>
> > > >> --
> > > >> paul moore
> > > >> www.paul-moore.com
> > > >>
> > > >> --
> > > >> Linux-audit mailing list
> > > >> Linux-audit@redhat.com
> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> > >
> > > --
> > > paul moore
> > > www.paul-moore.com
>
>

[-- Attachment #1.2: Type: text/html, Size: 3568 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PID's Mapping

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 2404 bytes --]

As per rule root(admin) is the one who is monitoring the system's
information .so,there must exist some namespace information in proc field
for the namespace related PID in global.Is this the way I'm approaching to
the namespace related stuffs is correct?


-Deepika

On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <sundar.deepika18@gmail.com
> wrote:

> Yeah.
> When the PID's which are in the namespace application has different PID
> compared to Global PID.There would be some means to  map the PID's in the
> kernel level.Can anyone suggest How it can be mapped?
>
> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
>> > Is there any way that can be suggested as to map PID's of namespace in
>> > global?
>>
>> This is on the TODO list. We have been kicking around several ideas but
>> have
>> not come to a conclusion about what exactly needs to be done. The upshot
>> of
>> this is that basically containers have no support.
>>
>> -Steve
>>
>>
>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
>> wrote:
>> > > Please ask your question on the mailing list so that everyone can
>> benefit.
>> > >
>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
>> > >
>> > > <sundar.deepika18@gmail.com> wrote:
>> > > > How it can be achieved ,Can I get any idea on this?
>> > > >
>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
>> wrote:
>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
>> > > >>
>> > > >> <sowndarya.nadar@gmail.com> wrote:
>> > > >> > Hi
>> > > >> >
>> > > >> > Is there any way to map the PID's seen in the namespace
>> application
>> > >
>> > > with
>> > >
>> > > >> > the
>> > > >> > PID's seen in global?
>> > > >> > If it can be done please provide the documentation or idea on
>> how it
>> > >
>> > > can
>> > >
>> > > >> > be
>> > > >> > done.
>> > > >>
>> > > >> In general the audit subsystem doesn't pay attention to namespaces,
>> > > >> all PIDs reported to userspace are reported with respect to the
>> init
>> > > >> namespace.
>> > > >>
>> > > >> --
>> > > >> paul moore
>> > > >> www.paul-moore.com
>> > > >>
>> > > >> --
>> > > >> Linux-audit mailing list
>> > > >> Linux-audit@redhat.com
>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
>> > >
>> > > --
>> > > paul moore
>> > > www.paul-moore.com
>>
>>
>

[-- Attachment #1.2: Type: text/html, Size: 4376 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PID's Mapping

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 3035 bytes --]

Thank you for the replies.

As per My understanding Root as Admin it has the control over all the
namespaces.If this is correct,

(i) Is that root should have access to all namespace relate info,
    for ex: PID's in the host is mapped to what PID's in the Namespace?

  if not ,

(ii) Init should have only access to his own process and should not have
access to other namespace.
Is this design limitation (or) Is it designed for better security ?

On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <sundar.deepika18@gmail.com>
wrote:

> As per rule root(admin) is the one who is monitoring the system's
> information .so,there must exist some namespace information in proc field
> for the namespace related PID in global.Is this the way I'm approaching to
> the namespace related stuffs is correct?
>
>
> -Deepika
>
> On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> sundar.deepika18@gmail.com> wrote:
>
>> Yeah.
>> When the PID's which are in the namespace application has different PID
>> compared to Global PID.There would be some means to  map the PID's in the
>> kernel level.Can anyone suggest How it can be mapped?
>>
>> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>>
>>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
>>> > Is there any way that can be suggested as to map PID's of namespace in
>>> > global?
>>>
>>> This is on the TODO list. We have been kicking around several ideas but
>>> have
>>> not come to a conclusion about what exactly needs to be done. The upshot
>>> of
>>> this is that basically containers have no support.
>>>
>>> -Steve
>>>
>>>
>>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
>>> wrote:
>>> > > Please ask your question on the mailing list so that everyone can
>>> benefit.
>>> > >
>>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
>>> > >
>>> > > <sundar.deepika18@gmail.com> wrote:
>>> > > > How it can be achieved ,Can I get any idea on this?
>>> > > >
>>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
>>> wrote:
>>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
>>> > > >>
>>> > > >> <sowndarya.nadar@gmail.com> wrote:
>>> > > >> > Hi
>>> > > >> >
>>> > > >> > Is there any way to map the PID's seen in the namespace
>>> application
>>> > >
>>> > > with
>>> > >
>>> > > >> > the
>>> > > >> > PID's seen in global?
>>> > > >> > If it can be done please provide the documentation or idea on
>>> how it
>>> > >
>>> > > can
>>> > >
>>> > > >> > be
>>> > > >> > done.
>>> > > >>
>>> > > >> In general the audit subsystem doesn't pay attention to
>>> namespaces,
>>> > > >> all PIDs reported to userspace are reported with respect to the
>>> init
>>> > > >> namespace.
>>> > > >>
>>> > > >> --
>>> > > >> paul moore
>>> > > >> www.paul-moore.com
>>> > > >>
>>> > > >> --
>>> > > >> Linux-audit mailing list
>>> > > >> Linux-audit@redhat.com
>>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
>>> > >
>>> > > --
>>> > > paul moore
>>> > > www.paul-moore.com
>>>
>>>
>>
>

[-- Attachment #1.2: Type: text/html, Size: 5417 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PID's Mapping

[Richard Guy Briggs]

On 16/04/27, Deepika Sundar wrote:
> As per rule root(admin) is the one who is monitoring the system's
> information .so,there must exist some namespace information in proc field
> for the namespace related PID in global.Is this the way I'm approaching to
> the namespace related stuffs is correct?

I'm having some trouble parsing your text, but I'll try to answer the
question.

"root" is not necessarily omniscient as it has been assumed to be
frequently in the past.  This is true of Linux Capabilities and I
believe SELinux.

It is possible for a process to be owned by "root" (UID 0) in a
non-initial PID namespace and it would not have access to initial PID
namespace information nor any of the other PID namespaces that are not
children of its own PID namespace.

Anything visible from the proc filesystem should be relative to the
namespaces of the process requesting it.

This gets into a whole lot of discussion about Linux kernel namespaces
in general, and I'd recommend you seek out articles about the six Linux
kernel namespaces on Linux Weekly News (lwn.net) on the topic.

> -Deepika
> 
> On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <sundar.deepika18@gmail.com wrote:
> > Yeah.
> > When the PID's which are in the namespace application has different PID
> > compared to Global PID.There would be some means to  map the PID's in the
> > kernel level.Can anyone suggest How it can be mapped?
> >
> > On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> >
> >> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> >> > Is there any way that can be suggested as to map PID's of namespace in
> >> > global?
> >>
> >> This is on the TODO list. We have been kicking around several ideas but
> >> have
> >> not come to a conclusion about what exactly needs to be done. The upshot
> >> of
> >> this is that basically containers have no support.
> >>
> >> -Steve
> >>
> >>
> >> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
> >> wrote:
> >> > > Please ask your question on the mailing list so that everyone can
> >> benefit.
> >> > >
> >> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> >> > >
> >> > > <sundar.deepika18@gmail.com> wrote:
> >> > > > How it can be achieved ,Can I get any idea on this?
> >> > > >
> >> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
> >> wrote:
> >> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> >> > > >>
> >> > > >> <sowndarya.nadar@gmail.com> wrote:
> >> > > >> > Hi
> >> > > >> >
> >> > > >> > Is there any way to map the PID's seen in the namespace
> >> application
> >> > >
> >> > > with
> >> > >
> >> > > >> > the
> >> > > >> > PID's seen in global?
> >> > > >> > If it can be done please provide the documentation or idea on
> >> how it
> >> > >
> >> > > can
> >> > >
> >> > > >> > be
> >> > > >> > done.
> >> > > >>
> >> > > >> In general the audit subsystem doesn't pay attention to namespaces,
> >> > > >> all PIDs reported to userspace are reported with respect to the
> >> init
> >> > > >> namespace.
> >> > > >>
> >> > > >> --
> >> > > >> paul moore
> >> > > >> www.paul-moore.com
> >> > > >>
> >> > > >> --
> >> > > >> Linux-audit mailing list
> >> > > >> Linux-audit@redhat.com
> >> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> >> > >
> >> > > --
> >> > > paul moore
> >> > > www.paul-moore.com
> >>
> >>
> >

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: PID's Mapping

[Richard Guy Briggs]

On 16/04/28, Deepika Sundar wrote:
> Thank you for the replies.
> 
> As per My understanding Root as Admin it has the control over all the
> namespaces.If this is correct,

As per my previous email, not necessarily.

> (i) Is that root should have access to all namespace relate info,
>     for ex: PID's in the host is mapped to what PID's in the Namespace?

The initial PID namespace knows about all the PIDs on the machine since
the PID namespaces are hierarchical.  There is a mapping from the PID in
the initial PID namespace to its PID in a child PID namespace.  A child
PID namespace should never be able to find out what its PID is in a
parent PID namespace.

>   if not ,
> 
> (ii) Init should have only access to his own process and should not have
> access to other namespace.

See above.

> Is this design limitation (or) Is it designed for better security ?

Both.

> On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <sundar.deepika18@gmail.com> wrote:
> > As per rule root(admin) is the one who is monitoring the system's
> > information .so,there must exist some namespace information in proc field
> > for the namespace related PID in global.Is this the way I'm approaching to
> > the namespace related stuffs is correct?
> >
> > -Deepika
> >
> > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > sundar.deepika18@gmail.com> wrote:
> >
> >> Yeah.
> >> When the PID's which are in the namespace application has different PID
> >> compared to Global PID.There would be some means to  map the PID's in the
> >> kernel level.Can anyone suggest How it can be mapped?
> >>
> >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> >>
> >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> >>> > Is there any way that can be suggested as to map PID's of namespace in
> >>> > global?
> >>>
> >>> This is on the TODO list. We have been kicking around several ideas but
> >>> have
> >>> not come to a conclusion about what exactly needs to be done. The upshot
> >>> of
> >>> this is that basically containers have no support.
> >>>
> >>> -Steve
> >>>
> >>>
> >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
> >>> wrote:
> >>> > > Please ask your question on the mailing list so that everyone can
> >>> benefit.
> >>> > >
> >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> >>> > >
> >>> > > <sundar.deepika18@gmail.com> wrote:
> >>> > > > How it can be achieved ,Can I get any idea on this?
> >>> > > >
> >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <paul@paul-moore.com>
> >>> wrote:
> >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> >>> > > >>
> >>> > > >> <sowndarya.nadar@gmail.com> wrote:
> >>> > > >> > Hi
> >>> > > >> >
> >>> > > >> > Is there any way to map the PID's seen in the namespace
> >>> application
> >>> > >
> >>> > > with
> >>> > >
> >>> > > >> > the
> >>> > > >> > PID's seen in global?
> >>> > > >> > If it can be done please provide the documentation or idea on
> >>> how it
> >>> > >
> >>> > > can
> >>> > >
> >>> > > >> > be
> >>> > > >> > done.
> >>> > > >>
> >>> > > >> In general the audit subsystem doesn't pay attention to
> >>> namespaces,
> >>> > > >> all PIDs reported to userspace are reported with respect to the
> >>> init
> >>> > > >> namespace.
> >>> > > >>
> >>> > > >> --
> >>> > > >> paul moore
> >>> > > >> www.paul-moore.com
> >>> > > >>
> >>> > > >> --
> >>> > > >> Linux-audit mailing list
> >>> > > >> Linux-audit@redhat.com
> >>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> >>> > >
> >>> > > --
> >>> > > paul moore
> >>> > > www.paul-moore.com
> >>>
> >>>
> >>
> >

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: PID's Mapping

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 4574 bytes --]

Thank You for the valuable Response RGB.

As you mentioned in the above statement is what I was looking for, "There
is a mapping from the PID in the initial PID namespace to its PID in a
child PID namespace".
As per your context, Is it initial PID namespace is the one which is get
created in the "HOST"?
Please provide me details about how to enter into INIT-PID namespace to get
the mappings of child PID Namespace.




-DEEPIKA

On Fri, Apr 29, 2016 at 8:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote:

> On 16/04/28, Deepika Sundar wrote:
> > Thank you for the replies.
> >
> > As per My understanding Root as Admin it has the control over all the
> > namespaces.If this is correct,
>
> As per my previous email, not necessarily.
>
> > (i) Is that root should have access to all namespace relate info,
> >     for ex: PID's in the host is mapped to what PID's in the Namespace?
>
> The initial PID namespace knows about all the PIDs on the machine since
> the PID namespaces are hierarchical.  There is a mapping from the PID in
> the initial PID namespace to its PID in a child PID namespace.  A child
> PID namespace should never be able to find out what its PID is in a
> parent PID namespace.
>
> >   if not ,
> >
> > (ii) Init should have only access to his own process and should not have
> > access to other namespace.
>
> See above.
>
> > Is this design limitation (or) Is it designed for better security ?
>
> Both.
>
> > On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <
> sundar.deepika18@gmail.com> wrote:
> > > As per rule root(admin) is the one who is monitoring the system's
> > > information .so,there must exist some namespace information in proc
> field
> > > for the namespace related PID in global.Is this the way I'm
> approaching to
> > > the namespace related stuffs is correct?
> > >
> > > -Deepika
> > >
> > > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > > sundar.deepika18@gmail.com> wrote:
> > >
> > >> Yeah.
> > >> When the PID's which are in the namespace application has different
> PID
> > >> compared to Global PID.There would be some means to  map the PID's in
> the
> > >> kernel level.Can anyone suggest How it can be mapped?
> > >>
> > >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> > >>
> > >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> > >>> > Is there any way that can be suggested as to map PID's of
> namespace in
> > >>> > global?
> > >>>
> > >>> This is on the TODO list. We have been kicking around several ideas
> but
> > >>> have
> > >>> not come to a conclusion about what exactly needs to be done. The
> upshot
> > >>> of
> > >>> this is that basically containers have no support.
> > >>>
> > >>> -Steve
> > >>>
> > >>>
> > >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
> > >>> wrote:
> > >>> > > Please ask your question on the mailing list so that everyone can
> > >>> benefit.
> > >>> > >
> > >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> > >>> > >
> > >>> > > <sundar.deepika18@gmail.com> wrote:
> > >>> > > > How it can be achieved ,Can I get any idea on this?
> > >>> > > >
> > >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <
> paul@paul-moore.com>
> > >>> wrote:
> > >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> > >>> > > >>
> > >>> > > >> <sowndarya.nadar@gmail.com> wrote:
> > >>> > > >> > Hi
> > >>> > > >> >
> > >>> > > >> > Is there any way to map the PID's seen in the namespace
> > >>> application
> > >>> > >
> > >>> > > with
> > >>> > >
> > >>> > > >> > the
> > >>> > > >> > PID's seen in global?
> > >>> > > >> > If it can be done please provide the documentation or idea
> on
> > >>> how it
> > >>> > >
> > >>> > > can
> > >>> > >
> > >>> > > >> > be
> > >>> > > >> > done.
> > >>> > > >>
> > >>> > > >> In general the audit subsystem doesn't pay attention to
> > >>> namespaces,
> > >>> > > >> all PIDs reported to userspace are reported with respect to
> the
> > >>> init
> > >>> > > >> namespace.
> > >>> > > >>
> > >>> > > >> --
> > >>> > > >> paul moore
> > >>> > > >> www.paul-moore.com
> > >>> > > >>
> > >>> > > >> --
> > >>> > > >> Linux-audit mailing list
> > >>> > > >> Linux-audit@redhat.com
> > >>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> > >>> > >
> > >>> > > --
> > >>> > > paul moore
> > >>> > > www.paul-moore.com
> > >>>
> > >>>
> > >>
> > >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>

[-- Attachment #1.2: Type: text/html, Size: 7990 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PID's Mapping

[Richard Guy Briggs]

On 16/04/29, Deepika Sundar wrote:
> Thank You for the valuable Response RGB.
> 
> As you mentioned in the above statement is what I was looking for, "There
> is a mapping from the PID in the initial PID namespace to its PID in a
> child PID namespace".
> As per your context, Is it initial PID namespace is the one which is get
> created in the "HOST"?

If I understand your question, the first namespace of any type that is
created is the initial namespace.  This set of 6 different namespace
types are the default that are created on a newly booted kernel.

> Please provide me details about how to enter into INIT-PID namespace to get
> the mappings of child PID Namespace.

Generally, the init process (yes, the term "init" is a bit overloaded
here...) with PID 1 in the initial PID namespace is the starting point
for creating all other processes.  (Some distributions have switched over
from using "init" to using "systemd" in this role.)  If you are already
that process or you are a process that is a child of that process and
still in all the initial namespaces, you are already there.  If you are
a process that is in a child PID namespace, you can't see any parent or
peer namespaces.  This is intentional.

> -DEEPIKA
> 
> On Fri, Apr 29, 2016 at 8:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> 
> > On 16/04/28, Deepika Sundar wrote:
> > > Thank you for the replies.
> > >
> > > As per My understanding Root as Admin it has the control over all the
> > > namespaces.If this is correct,
> >
> > As per my previous email, not necessarily.
> >
> > > (i) Is that root should have access to all namespace relate info,
> > >     for ex: PID's in the host is mapped to what PID's in the Namespace?
> >
> > The initial PID namespace knows about all the PIDs on the machine since
> > the PID namespaces are hierarchical.  There is a mapping from the PID in
> > the initial PID namespace to its PID in a child PID namespace.  A child
> > PID namespace should never be able to find out what its PID is in a
> > parent PID namespace.
> >
> > >   if not ,
> > >
> > > (ii) Init should have only access to his own process and should not have
> > > access to other namespace.
> >
> > See above.
> >
> > > Is this design limitation (or) Is it designed for better security ?
> >
> > Both.
> >
> > > On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <
> > sundar.deepika18@gmail.com> wrote:
> > > > As per rule root(admin) is the one who is monitoring the system's
> > > > information .so,there must exist some namespace information in proc
> > field
> > > > for the namespace related PID in global.Is this the way I'm
> > approaching to
> > > > the namespace related stuffs is correct?
> > > >
> > > > -Deepika
> > > >
> > > > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > > > sundar.deepika18@gmail.com> wrote:
> > > >
> > > >> Yeah.
> > > >> When the PID's which are in the namespace application has different
> > PID
> > > >> compared to Global PID.There would be some means to  map the PID's in
> > the
> > > >> kernel level.Can anyone suggest How it can be mapped?
> > > >>
> > > >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com>
> > wrote:
> > > >>
> > > >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> > > >>> > Is there any way that can be suggested as to map PID's of
> > namespace in
> > > >>> > global?
> > > >>>
> > > >>> This is on the TODO list. We have been kicking around several ideas
> > but
> > > >>> have
> > > >>> not come to a conclusion about what exactly needs to be done. The
> > upshot
> > > >>> of
> > > >>> this is that basically containers have no support.
> > > >>>
> > > >>> -Steve
> > > >>>
> > > >>>
> > > >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <paul@paul-moore.com>
> > > >>> wrote:
> > > >>> > > Please ask your question on the mailing list so that everyone can
> > > >>> benefit.
> > > >>> > >
> > > >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> > > >>> > >
> > > >>> > > <sundar.deepika18@gmail.com> wrote:
> > > >>> > > > How it can be achieved ,Can I get any idea on this?
> > > >>> > > >
> > > >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <
> > paul@paul-moore.com>
> > > >>> wrote:
> > > >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> > > >>> > > >>
> > > >>> > > >> <sowndarya.nadar@gmail.com> wrote:
> > > >>> > > >> > Hi
> > > >>> > > >> >
> > > >>> > > >> > Is there any way to map the PID's seen in the namespace
> > > >>> application
> > > >>> > >
> > > >>> > > with
> > > >>> > >
> > > >>> > > >> > the
> > > >>> > > >> > PID's seen in global?
> > > >>> > > >> > If it can be done please provide the documentation or idea
> > on
> > > >>> how it
> > > >>> > >
> > > >>> > > can
> > > >>> > >
> > > >>> > > >> > be
> > > >>> > > >> > done.
> > > >>> > > >>
> > > >>> > > >> In general the audit subsystem doesn't pay attention to
> > > >>> namespaces,
> > > >>> > > >> all PIDs reported to userspace are reported with respect to
> > the
> > > >>> init
> > > >>> > > >> namespace.
> > > >>> > > >>
> > > >>> > > >> --
> > > >>> > > >> paul moore
> > > >>> > > >> www.paul-moore.com
> > > >>> > > >>
> > > >>> > > >> --
> > > >>> > > >> Linux-audit mailing list
> > > >>> > > >> Linux-audit@redhat.com
> > > >>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> > > >>> > >
> > > >>> > > --
> > > >>> > > paul moore
> > > >>> > > www.paul-moore.com
> > > >>>
> > > >>>
> > > >>
> > > >
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Kernel Security Engineering, Base Operating Systems, Red Hat
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635, Internal: (81) 32635
> >

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: PID's Mapping

[Deepika Sundar]

[-- Attachment #1.1: Type: text/plain, Size: 6338 bytes --]

Thank you
>From init pid namespace How we can access the child pid-namespace PID's?
On 29-Apr-2016 7:33 pm, "Richard Guy Briggs" <rgb@redhat.com> wrote:

> On 16/04/29, Deepika Sundar wrote:
> > Thank You for the valuable Response RGB.
> >
> > As you mentioned in the above statement is what I was looking for, "There
> > is a mapping from the PID in the initial PID namespace to its PID in a
> > child PID namespace".
> > As per your context, Is it initial PID namespace is the one which is get
> > created in the "HOST"?
>
> If I understand your question, the first namespace of any type that is
> created is the initial namespace.  This set of 6 different namespace
> types are the default that are created on a newly booted kernel.
>
> > Please provide me details about how to enter into INIT-PID namespace to
> get
> > the mappings of child PID Namespace.
>
> Generally, the init process (yes, the term "init" is a bit overloaded
> here...) with PID 1 in the initial PID namespace is the starting point
> for creating all other processes.  (Some distributions have switched over
> from using "init" to using "systemd" in this role.)  If you are already
> that process or you are a process that is a child of that process and
> still in all the initial namespaces, you are already there.  If you are
> a process that is in a child PID namespace, you can't see any parent or
> peer namespaces.  This is intentional.
>
> > -DEEPIKA
> >
> > On Fri, Apr 29, 2016 at 8:07 AM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
> >
> > > On 16/04/28, Deepika Sundar wrote:
> > > > Thank you for the replies.
> > > >
> > > > As per My understanding Root as Admin it has the control over all the
> > > > namespaces.If this is correct,
> > >
> > > As per my previous email, not necessarily.
> > >
> > > > (i) Is that root should have access to all namespace relate info,
> > > >     for ex: PID's in the host is mapped to what PID's in the
> Namespace?
> > >
> > > The initial PID namespace knows about all the PIDs on the machine since
> > > the PID namespaces are hierarchical.  There is a mapping from the PID
> in
> > > the initial PID namespace to its PID in a child PID namespace.  A child
> > > PID namespace should never be able to find out what its PID is in a
> > > parent PID namespace.
> > >
> > > >   if not ,
> > > >
> > > > (ii) Init should have only access to his own process and should not
> have
> > > > access to other namespace.
> > >
> > > See above.
> > >
> > > > Is this design limitation (or) Is it designed for better security ?
> > >
> > > Both.
> > >
> > > > On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <
> > > sundar.deepika18@gmail.com> wrote:
> > > > > As per rule root(admin) is the one who is monitoring the system's
> > > > > information .so,there must exist some namespace information in proc
> > > field
> > > > > for the namespace related PID in global.Is this the way I'm
> > > approaching to
> > > > > the namespace related stuffs is correct?
> > > > >
> > > > > -Deepika
> > > > >
> > > > > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > > > > sundar.deepika18@gmail.com> wrote:
> > > > >
> > > > >> Yeah.
> > > > >> When the PID's which are in the namespace application has
> different
> > > PID
> > > > >> compared to Global PID.There would be some means to  map the
> PID's in
> > > the
> > > > >> kernel level.Can anyone suggest How it can be mapped?
> > > > >>
> > > > >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com>
> > > wrote:
> > > > >>
> > > > >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> > > > >>> > Is there any way that can be suggested as to map PID's of
> > > namespace in
> > > > >>> > global?
> > > > >>>
> > > > >>> This is on the TODO list. We have been kicking around several
> ideas
> > > but
> > > > >>> have
> > > > >>> not come to a conclusion about what exactly needs to be done. The
> > > upshot
> > > > >>> of
> > > > >>> this is that basically containers have no support.
> > > > >>>
> > > > >>> -Steve
> > > > >>>
> > > > >>>
> > > > >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <
> paul@paul-moore.com>
> > > > >>> wrote:
> > > > >>> > > Please ask your question on the mailing list so that
> everyone can
> > > > >>> benefit.
> > > > >>> > >
> > > > >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> > > > >>> > >
> > > > >>> > > <sundar.deepika18@gmail.com> wrote:
> > > > >>> > > > How it can be achieved ,Can I get any idea on this?
> > > > >>> > > >
> > > > >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <
> > > paul@paul-moore.com>
> > > > >>> wrote:
> > > > >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> > > > >>> > > >>
> > > > >>> > > >> <sowndarya.nadar@gmail.com> wrote:
> > > > >>> > > >> > Hi
> > > > >>> > > >> >
> > > > >>> > > >> > Is there any way to map the PID's seen in the namespace
> > > > >>> application
> > > > >>> > >
> > > > >>> > > with
> > > > >>> > >
> > > > >>> > > >> > the
> > > > >>> > > >> > PID's seen in global?
> > > > >>> > > >> > If it can be done please provide the documentation or
> idea
> > > on
> > > > >>> how it
> > > > >>> > >
> > > > >>> > > can
> > > > >>> > >
> > > > >>> > > >> > be
> > > > >>> > > >> > done.
> > > > >>> > > >>
> > > > >>> > > >> In general the audit subsystem doesn't pay attention to
> > > > >>> namespaces,
> > > > >>> > > >> all PIDs reported to userspace are reported with respect
> to
> > > the
> > > > >>> init
> > > > >>> > > >> namespace.
> > > > >>> > > >>
> > > > >>> > > >> --
> > > > >>> > > >> paul moore
> > > > >>> > > >> www.paul-moore.com
> > > > >>> > > >>
> > > > >>> > > >> --
> > > > >>> > > >> Linux-audit mailing list
> > > > >>> > > >> Linux-audit@redhat.com
> > > > >>> > > >> https://www.redhat.com/mailman/listinfo/linux-audit
> > > > >>> > >
> > > > >>> > > --
> > > > >>> > > paul moore
> > > > >>> > > www.paul-moore.com
> > > > >>>
> > > > >>>
> > > > >>
> > > > >
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rgb@redhat.com>
> > > Kernel Security Engineering, Base Operating Systems, Red Hat
> > > Remote, Ottawa, Canada
> > > Voice: +1.647.777.2635, Internal: (81) 32635
> > >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>

[-- Attachment #1.2: Type: text/html, Size: 10190 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PID's Mapping

[Richard Guy Briggs]

On 16/04/29, Deepika Sundar wrote:
> Thank you
> From init pid namespace How we can access the child pid-namespace PID's?

There are a number of helper functions and macros referenced in
include/linux/sched.h starting with task_pid() and following and in
kernel/pid.c and include/linux/pid.h.  Some are with respect to initial
namespaces, some with respect to the current namespace and others work
with a namespace pointer.

> On 29-Apr-2016 7:33 pm, "Richard Guy Briggs" <rgb@redhat.com> wrote:
> > On 16/04/29, Deepika Sundar wrote:
> > > Thank You for the valuable Response RGB.
> > >
> > > As you mentioned in the above statement is what I was looking for, "There
> > > is a mapping from the PID in the initial PID namespace to its PID in a
> > > child PID namespace".
> > > As per your context, Is it initial PID namespace is the one which is get
> > > created in the "HOST"?
> >
> > If I understand your question, the first namespace of any type that is
> > created is the initial namespace.  This set of 6 different namespace
> > types are the default that are created on a newly booted kernel.
> >
> > > Please provide me details about how to enter into INIT-PID namespace to
> > get
> > > the mappings of child PID Namespace.
> >
> > Generally, the init process (yes, the term "init" is a bit overloaded
> > here...) with PID 1 in the initial PID namespace is the starting point
> > for creating all other processes.  (Some distributions have switched over
> > from using "init" to using "systemd" in this role.)  If you are already
> > that process or you are a process that is a child of that process and
> > still in all the initial namespaces, you are already there.  If you are
> > a process that is in a child PID namespace, you can't see any parent or
> > peer namespaces.  This is intentional.
> >
> > > -DEEPIKA
> > >
> > > On Fri, Apr 29, 2016 at 8:07 AM, Richard Guy Briggs <rgb@redhat.com>
> > wrote:
> > >
> > > > On 16/04/28, Deepika Sundar wrote:
> > > > > Thank you for the replies.
> > > > >
> > > > > As per My understanding Root as Admin it has the control over all the
> > > > > namespaces.If this is correct,
> > > >
> > > > As per my previous email, not necessarily.
> > > >
> > > > > (i) Is that root should have access to all namespace relate info,
> > > > >     for ex: PID's in the host is mapped to what PID's in the
> > Namespace?
> > > >
> > > > The initial PID namespace knows about all the PIDs on the machine since
> > > > the PID namespaces are hierarchical.  There is a mapping from the PID
> > in
> > > > the initial PID namespace to its PID in a child PID namespace.  A child
> > > > PID namespace should never be able to find out what its PID is in a
> > > > parent PID namespace.
> > > >
> > > > >   if not ,
> > > > >
> > > > > (ii) Init should have only access to his own process and should not
> > have
> > > > > access to other namespace.
> > > >
> > > > See above.
> > > >
> > > > > Is this design limitation (or) Is it designed for better security ?
> > > >
> > > > Both.
> > > >
> > > > > On Wed, Apr 27, 2016 at 4:49 PM, Deepika Sundar <
> > > > sundar.deepika18@gmail.com> wrote:
> > > > > > As per rule root(admin) is the one who is monitoring the system's
> > > > > > information .so,there must exist some namespace information in proc
> > > > field
> > > > > > for the namespace related PID in global.Is this the way I'm
> > > > approaching to
> > > > > > the namespace related stuffs is correct?
> > > > > >
> > > > > > -Deepika
> > > > > >
> > > > > > On Mon, Apr 25, 2016 at 12:24 PM, Deepika Sundar <
> > > > > > sundar.deepika18@gmail.com> wrote:
> > > > > >
> > > > > >> Yeah.
> > > > > >> When the PID's which are in the namespace application has
> > different
> > > > PID
> > > > > >> compared to Global PID.There would be some means to  map the
> > PID's in
> > > > the
> > > > > >> kernel level.Can anyone suggest How it can be mapped?
> > > > > >>
> > > > > >> On Wed, Apr 20, 2016 at 6:03 PM, Steve Grubb <sgrubb@redhat.com>
> > > > wrote:
> > > > > >>
> > > > > >>> On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> > > > > >>> > Is there any way that can be suggested as to map PID's of
> > > > namespace in
> > > > > >>> > global?
> > > > > >>>
> > > > > >>> This is on the TODO list. We have been kicking around several
> > ideas
> > > > but
> > > > > >>> have
> > > > > >>> not come to a conclusion about what exactly needs to be done. The
> > > > upshot
> > > > > >>> of
> > > > > >>> this is that basically containers have no support.
> > > > > >>>
> > > > > >>> -Steve
> > > > > >>>
> > > > > >>>
> > > > > >>> > On Mon, Apr 18, 2016 at 8:47 PM, Paul Moore <
> > paul@paul-moore.com>
> > > > > >>> wrote:
> > > > > >>> > > Please ask your question on the mailing list so that
> > everyone can
> > > > > >>> benefit.
> > > > > >>> > >
> > > > > >>> > > On Mon, Apr 18, 2016 at 1:34 AM, Deepika Sundar
> > > > > >>> > >
> > > > > >>> > > <sundar.deepika18@gmail.com> wrote:
> > > > > >>> > > > How it can be achieved ,Can I get any idea on this?
> > > > > >>> > > >
> > > > > >>> > > > On Fri, Apr 15, 2016 at 4:12 AM, Paul Moore <
> > > > paul@paul-moore.com>
> > > > > >>> wrote:
> > > > > >>> > > >> On Wed, Apr 13, 2016 at 1:43 AM, sowndarya kumar
> > > > > >>> > > >>
> > > > > >>> > > >> <sowndarya.nadar@gmail.com> wrote:
> > > > > >>> > > >> > Hi
> > > > > >>> > > >> >
> > > > > >>> > > >> > Is there any way to map the PID's seen in the namespace
> > > > > >>> application
> > > > > >>> > >
> > > > > >>> > > with
> > > > > >>> > >
> > > > > >>> > > >> > the
> > > > > >>> > > >> > PID's seen in global?
> > > > > >>> > > >> > If it can be done please provide the documentation or
> > idea
> > > > on
> > > > > >>> how it
> > > > > >>> > >
> > > > > >>> > > can
> > > > > >>> > >
> > > > > >>> > > >> > be
> > > > > >>> > > >> > done.
> > > > > >>> > > >>
> > > > > >>> > > >> In general the audit subsystem doesn't pay attention to
> > > > > >>> namespaces,
> > > > > >>> > > >> all PIDs reported to userspace are reported with respect
> > to
> > > > the
> > > > > >>> init
> > > > > >>> > > >> namespace.
> > > > > >>> > > >>
> > > > > >>> > > >> paul moore
> > > > > >>> > >
> > > > > >>> > > paul moore
> > > >
> > > > - RGB
> >
> > - RGB

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635