From mboxrd@z Thu Jan 1 00:00:00 1970 From: Casey Schaufler Subject: Re: RFC(v2): Audit Kernel Container IDs Date: Tue, 17 Oct 2017 09:10:43 -0700 Message-ID: <23dbaf2e-e02d-d4a1-d409-5c860f254bbc__38342.4157895663$1508257267$gmane$org@schaufler-ca.com> References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <75b7d6a6-42ba-2dff-1836-1091c7c024e7@schaufler-ca.com> <20171017003340.whjdkqmkw4lydwy7@madcap2.tricolour.ca> <2319693.5l3M4ZINGd@x2> <1508243469.6230.24.camel@redhat.com> <1508254120.6230.34.camel@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <1508254120.6230.34.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Simo Sorce , Steve Grubb , linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org Cc: mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org, jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Linux API , Linux Containers , Linux Kernel , David Howells , Carlos O'Donell , cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, "Eric W. Biederman" , Andy Lutomirski , Linux Network Development , Linux FS Devel , Eric Paris , Al Viro List-Id: containers.vger.kernel.org T24gMTAvMTcvMjAxNyA4OjI4IEFNLCBTaW1vIFNvcmNlIHdyb3RlOgo+IE9uIFR1ZSwgMjAxNy0x MC0xNyBhdCAwNzo1OSAtMDcwMCwgQ2FzZXkgU2NoYXVmbGVyIHdyb3RlOgo+PiBPbiAxMC8xNy8y MDE3IDU6MzEgQU0sIFNpbW8gU29yY2Ugd3JvdGU6Cj4+PiBPbiBNb24sIDIwMTctMTAtMTYgYXQg MjE6NDIgLTA0MDAsIFN0ZXZlIEdydWJiIHdyb3RlOgo+Pj4+IE9uIE1vbmRheSwgT2N0b2JlciAx NiwgMjAxNyA4OjMzOjQwIFBNIEVEVCBSaWNoYXJkIEd1eSBCcmlnZ3MKPj4+PiB3cm90ZToKPj4+ Pj4gVGhlcmUgaXMgc3VjaCBhIHRoaW5nLCBidXQgdGhlIGtlcm5lbCBkb2Vzbid0IGtub3cgYWJv dXQgaXQKPj4+Pj4geWV0LsKgwqBUaGlzIHNhbWUgc2l0dWF0aW9uIGV4aXN0cyBmb3IgbG9naW51 aWQgYW5kIHNlc3Npb25pZAo+Pj4+PiB3aGljaAo+Pj4+PiBhcmUgdXNlcnNwYWNlIGNvbmNlcHRz IHRoYXQgdGhlIGtlcm5lbCB0cmFja3MgZm9yIHRoZQo+Pj4+PiBjb252ZW5pZW5jZQo+Pj4+PiBv ZiB1c2Vyc3BhY2UuwqDCoEFzIGZvciBpdHMgbmFtZSwgSSdtIG5vdCBwYXJ0aWN1bGFybHkgcGlj a3ksIHNvCj4+Pj4+IGlmCj4+Pj4+IHlvdSBkb24ndCBsaWtlIENBUF9DT05UQUlORVJfKiB0aGVu IEknbSBmaW5lIHdpdGgKPj4+Pj4gQ0FQX0FVRElUX0NPTlRBSU5FUklELsKgwqBJdCByZWFsbHkg bmVlZHMgdG8gYmUgZGlzdGluY3QgZnJvbQo+Pj4+PiBDQVBfQVVESVRfV1JJVEUgYW5kIENBUF9B VURJVF9DT05UUk9MIHNpbmNlIHdlIGRvbid0IHdhbnQgdG8KPj4+Pj4gZ2l2ZQo+Pj4+PiB0aGUg YWJpbGl0eSB0byBzZXQgYSBjb250YWluZXJJRCB0byBhbnkgcHJvY2VzcyB0aGF0IGlzIGFibGUg dG8KPj4+Pj4gZG8KPj4+Pj4gYXVkaXQgbG9nZ2luZyAoc3VjaCBhcyB2c2Z0cGQpIGFuZCBzaW1p bGFybHkgd2UgZG9uJ3Qgd2FudCB0bwo+Pj4+PiBnaXZlCj4+Pj4+IHRoZSBvcmNoZXN0cmF0b3Ig dGhlIGFiaWxpdHkgdG8gY29udHJvbCB0aGUgc2V0dXAgb2YgdGhlIGF1ZGl0Cj4+Pj4+IGRhZW1v bi4KPj4+PiBBIGxvbmcgdGltZSBhZ28sIHdlIHdlcmUgZGViYXRpbmcgd2hhdCBzaG91bGQgZ3Vh cmQgYWdhaW5zdCByb3VnZQo+Pj4+IHByb2Nlc3Nlc8KgZnJvbSBzZXR0aW5nIHRoZSBsb2dpbnVp ZC4gQ2FzZXkgYXJndWVkIHRoYXQgdGhlCj4+Pj4gYWJpbGl0eSB0bwo+Pj4+IHNldCB0aGUgbG9n aW51aWTCoG1lYW5zIHRoZXkgaGF2ZSB0aGUgYWJpbGl0eSB0byBjb250cm9sIHRoZSBhdWRpdAo+ Pj4+IHRyYWlsLiBUaGF0IG1lYW5zIHRoYXQgaXTCoHNob3VsZCBiZSBndWFyZGVkIGJ5IENBUF9B VURJVF9DT05UUk9MLgo+Pj4+IEkKPj4+PiB0aGluayB0aGUgc2FtZSBsb2dpYyBhcHBsaWVzIHRv ZGF5LsKgCj4+PiBUaGUgZGlmZmVyZW5jZSBpcyB0aGF0IHdpdGggbG9naW51aWQgeW91IG5lZWRl ZCB0byBnaXZlIHByb2Nlc3Nlcwo+Pj4gYWJsZQo+Pj4gdG8gYXVkaXQgYWxzbyB0aGUgYWJpbGl0 eSB0byBjaGFuZ2UgaXQuIFlvdSBkbyBub3Qgd2FudCB0byB0aWUgdGhlCj4+PiBhYmlsaXR5IHRv IGNoYW5nZSBjb250YWluZXIgaWRzIHRvIHRoZSBhYmlsaXR5IHRvIGF1ZGl0LiBZb3Ugd2FudAo+ Pj4gdG8gYmUKPj4+IGFibGUgdG8gZG8gYXVkaXQgc3R1ZmYgKHdpdGhpbiB0aGUgY29udGFpbmVy KSB3aXRob3V0IGFsbG93aW5nIGl0Cj4+PiB0bwo+Pj4gY2hhbmdlIHRoZSBjb250YWluZXIgaWQu Cj4+IFdpdGhvdXQgYSAqa2VybmVsKiBwb2xpY3kgb24gY29udGFpbmVySURzIHlvdSBjYW4ndCBz YXkgd2hhdAo+PiBzZWN1cml0eSBwb2xpY3kgaXMgYmVpbmcgZXhlbXB0ZWQuCj4gVGhlIHBvbGlj eSBoYXMgYmVlbiBiYXNpY2FsbHkgc3RhdGVkIGVhcmxpZXIuCgpOby4gVGhlIGV4cGVjdGVkIHVz ZXIgc3BhY2UgYmVoYXZpb3IgaGFzIGJlZW4gc3RhdGVkLgoKPiBBIHdheSB0byB0cmFjayBhIHNl dCBvZiBwcm9jZXNzZXMgZnJvbSBhIHNwZWNpZmljIHBvaW50IGluIHRpbWUKPiBmb3J3YXJkLiBU aGUgbmFtZSB1c2VkIGlzICJjb250YWluZXIgaWQiLCBidXQgaXQgY291bGQgYmUgYW55dGhpbmcu CgpUaGVuIHlvdSB3YW50IEpvc2UgQm9sbG8ncyBQVEFHUy4gSXQncyBpbnNhbmUgdG8gYWRkIHll dCBhbm90aGVyCmFyYml0cmFyeSBJRCB0byB0aGUgdGFzayBmb3IgYSBzcGVjaWFsIHB1cnBvc2Uu IEFkZCBhIGdlbmVyYWwgdGFnZ2luZwptZWNoYW5pc20gaW5zdGVhZC4gV2UgY291bGQgYWRkIGEg Z2F6aWxsaW9uIG5ldyBpZCdzLCBlYWNoIHdpdGggaXQncwpvd24gY2FwYWJpbGl0eSBpZiB3ZSBo ZWFkIGRvd24gdGhpcyByb2FkLgoKPiBUaGlzIG1hcmtlciBpcyBtb3N0bHkgdXNlZCBieSB1c2Vy IHNwYWNlIHRvIHRyYWNrIHByb2Nlc3MgaGllcmFyY2hpZXMKPiB3aXRob3V0IHJhY2VzLCB0aGVz ZSBwcm9jZXNzZXMgY2FuIGJlIHZlcnkgcHJpdmlsZWdlZCwgYW5kIG11c3Qgbm90IGJlCj4gYWxs b3dlZCB0byBjaGFuZ2UgdGhlIG1hcmtlciB0aGVtc2VsdmVzIHdoZW4gZ3JhbnRlZCB0aGUgY3Vy cmVudCBjb21tb24KPiBjYXBhYmlsaXRpZXMuCgpMZXQncyBiZSBjbGVhci4gV2hhdCBoYXBwZW5z IGluIHVzZXIgc3BhY2Ugc3RheXMgaW4gdXNlciBzcGFjZS4KVGhlIGtlcm5lbCBkb2VzIG5vdCBn aXZlIGEgZmlnIGFib3V0IHVzZXIgc3BhY2UgcG9saWN5LiBUaGVyZSBoYXMKdG8gYmUgYSBrZXJu ZWwgcG9saWN5IGludm9sdmVkIHRoYXQgYSBjYXBhYmlsaXR5IGNhbiBleGVtcHQuCgo+IElzIHRo aXMgYSBnb29kIGVub3VnaCBkZXNjcmlwdGlvbiA/IElmIG5vdCBjYW4geW91IGNsYXJpZnkgeW91 cgo+IGV4cGVjdGF0aW9ucyA/CgpUaGUga2VybmVsIGVuZm9yY2VzIGtlcm5lbCBwb2xpY3kuIENh cGFiaWxpdGllcyBwcm92aWRlIGEgbWVjaGFuaXNtCnRvIG1hcmsgYSBwcm9jZXNzIGFzIGV4ZW1w dCBmcm9tIHNvbWUgYXNwZWN0IG9mIGtlcm5lbCBwb2xpY3kuIElmCnlvdSBkb24ndCBoYXZlIGEg a2VybmVsIHBvbGljeSwgeW91IGRvbid0IGdldCBhIGNhcGFiaWxpdHkuIENsZWFyPwoKPgo+PiAg V2l0aG91dCB0aGF0IHlvdSBjYW4ndCBzYXkgd2hhdCBjYXBhYmlsaXR5IGlzIChvciBpc24ndCkK Pj4gYXBwcm9wcmlhdGUuCj4gU2VlIGlmIHRoZSBhYm92ZSBpcyBzdWZmaWNpZW50IHBsZWFzZS4K Pgo+PiBZb3UgbmVlZCBhIHJlYXNvbiB0byBoYXZlIGEgY2FwYWJpbGl0eSBjaGVjayB0aGF0IG1h a2VzIHNlbnNlIGluIHRoZQo+PiBjb250ZXh0IG9mIHRoZSBrZXJuZWwgc2VjdXJpdHkgcG9saWN5 Lgo+IEkgdGhpbmsgdGhlIHByb3Bvc2FsIGhhZCBhIHJlYXNvbiwgd2UgbWF5IGRlYmF0ZSBvbiB3 aGV0aGVyIHRoYXQgcmVhc29uCj4gaXMgZ29vZCBlbm91Z2guCj4KPj4gU2luY2Ugd2UgZG9uJ3Qg a25vdyB3aGF0IGEgY29udGFpbmVyIGlzIGluIHRoZSBrZXJuZWwsCj4gUGxlYXNlIGRvIG5vdCBm aXhhdGUgb24gdGhlIHdvcmQgY29udGFpbmVyLgo+Cj4+ICB0aGF0J3MgcHJldHR5IGhhcmQuIFdl IGRvbid0IGNyZWF0ZSAiZnV6enkiIGNhcGFiaWxpdGllcwo+PiBiYXNlZCBvbiB0aGUgdHJlbmR5 IGFwcGxpY2F0aW9uIGJlaGF2aW9yIG9mIHRoZSBtb21lbnQuIElmIHRoZQo+PiBiZWhhdmlvciBp cyBub3QgcmVsYXRlZCBpdCBhdWRpdCwgdGhlcmUncyBubyByZWFzb24gZm9yIGl0LCBhbmQKPj4g aWYgaXQgaXMsIENBUF9BVURJVF9DT05UUk9MIHdvcmtzIGp1c3QgZmluZS4gSWYgdGhpcyBkb2Vz bid0IHdvcmsKPj4gaW4geW91ciBhcHBsaWNhdGlvbiBzZWN1cml0eSBtb2RlbCBJIHN1Z2dlc3Qg dGhhdCBpcyB3aGVyZSB5b3UKPj4gbmVlZCB0byBtYWtlIGNoYW5nZXMuCj4gVGhlIGF1dGhvcnMg b2YgdGhlIHByb3Bvc2FsIGNhbWUgdG8gdGhlIGNvbmNsdXNpb24gdGhhdCBrZXJuZWwKPiBhc3Np c3RhbmNlIGlzIG5lZWRlZC4gSXQgd291bGQgYmUgbmljZSB0byBkaXNjdXNzIHRoZSBtZXJpdHMg b2YgaXQuCj4gSWYgeW91IGRvIG5vdCB1bmRlcnN0YW5kIHdoeSB0aGUgcmVxdWVzdCBoYXMgYmVl biBtYWRlIGl0IHdvdWxkIGJlIG1vcmUKPiB1c2VmdWwgdG8gYXNrIHNwZWNpZmljIHF1ZXN0aW9u cyB0byB1bmRlcnN0YW5kIHdoYXQgYW5kIHdoeSBpcyB0aGUgYXNrLgoKSSB1bmRlcnN0YW5kIHBy ZXR0eSBkYXJuIHdlbGwuCgo+IFB1c2hpbmcgYmFjayBpcyBmaW5lLCBpZiB5b3UgaGF2ZSB1bmRl cnN0b29kIHRoZSBwcm9ibGVtIGFuZCBoYXZlIHZhbGlkCj4gYXJndW1lbnRzIGFnYWluc3QgYSBr ZXJuZWwgbGV2ZWwgc29sdXRpb24gKGFuZCBwb3NzaWJseSBzdWdnZXN0aW9ucyBmb3IKPiBhIHdv cmtpbmcgdXNlciBzcGFjZSBzb2x1dGlvbiksIG90aGVyd2lzZSB5b3UgYXJlIG5vdCBhZGRpbmcg dmFsdWUgdG8KPiB0aGUgZGlzY3Vzc2lvbi4KClRoZSBwcmVzdW1wdGlvbiBpcyB0aGF0IHRoZSBy ZXF1ZXN0IGlzIHJlYXNvbmFibGUuIEFkZGluZyBhIGNhcGFiaWxpdHkKaW4gc3VwcG9ydCBvZiBh biB1bmRlZmluZWQgYmVoYXZpb3IgaXMgdW5yZWFzb25hYmxlLiBCYXNlZCBvbiB0aGUgZGlzY3Vz c2lvbiwKQ0FQX0FVRElUX0NPTlRST0wgaXMgY29tcGxldGVseSByYXRpb25hbC4gSSB1bmRlcnN0 YW5kIHRoYXQgaXQgd291bGQgYmUKZGlmZmljdWx0IHRvIHN1cHBvcnQgeW91ciBhcHBsaWNhdGlv biBwcml2aWxlZ2UgbW9kZWwuIEkgd291bGQgbGlrZSB0byBsb29rCmludG8gaGVscGluZyBvdXQg d2l0aCB0aGF0LCBidXQgaGF2ZSB0b28gbWFueSBidXJuaW5nIGtuaXZlcyBpbiB0aGUgYWlyCmp1 c3Qgbm93LgoKPgo+IFNpbW8uCj4KCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fCkNvbnRhaW5lcnMgbWFpbGluZyBsaXN0CkNvbnRhaW5lcnNAbGlzdHMubGlu dXgtZm91bmRhdGlvbi5vcmcKaHR0cHM6Ly9saXN0cy5saW51eGZvdW5kYXRpb24ub3JnL21haWxt YW4vbGlzdGluZm8vY29udGFpbmVycw==