From: Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> To: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org Cc: pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org, sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org, ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org Subject: [PATCH V6 00/10] namespaces: log namespaces per task Date: Fri, 17 Apr 2015 03:35:47 -0400 [thread overview] Message-ID: <cover.1429252659.git.rgb@redhat.com> (raw) The purpose is to track namespace instances in use by logged processes from the perspective of init_*_ns by logging the namespace IDs (device ID and namespace inode - offset). 1/10 exposes proc's ns entries structure which lists a number of useful operations per namespace type for other subsystems to use. 2/10 proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST 3/10 provides an example of usage for audit_log_task_info() which is used by syscall audits, among others. audit_log_task() and audit_common_recv_message() would be other potential use cases. Proposed output format: This differs slightly from Aristeu's patch because of the label conflict with "pid=" due to including it in existing records rather than it being a seperate record. It has now returned to being a seperate record. The proc device major/minor are listed in hexadecimal and namespace IDs are the proc inode minus the base offset. type=NS_INFO msg=audit(1408577535.306:82): dev=00:03 netns=3 utsns=-3 ipcns=-4 pidns=-1 userns=-2 mntns=0 4/10 change audit startup from __initcall to subsys_initcall to get it started earlier to be able to receive initial namespace log messages. 5/10 tracks the creation and deletion of namespaces, listing the type of namespace instance, proc device ID, related namespace id if there is one and the newly minted namespace ID. Proposed output format for initial namespace creation: type=AUDIT_NS_INIT_UTS msg=audit(1408577534.868:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_utsns=(none) utsns=-3 res=1 type=AUDIT_NS_INIT_USER msg=audit(1408577534.868:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_userns=(none) userns=-2 res=1 type=AUDIT_NS_INIT_PID msg=audit(1408577534.868:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_pidns=(none) pidns=-1 res=1 type=AUDIT_NS_INIT_MNT msg=audit(1408577534.868:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_mntns=(none) mntns=0 res=1 type=AUDIT_NS_INIT_IPC msg=audit(1408577534.868:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_ipcns=(none) ipcns=-4 res=1 type=AUDIT_NS_INIT_NET msg=audit(1408577533.500:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_netns=(none) netns=2 res=1 And a CLONE action would result in: type=type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 dev=00:03 old_netns=2 netns=3 res=1 While deleting a namespace would result in: type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 dev=00:03 mntns=4 res=1 6/10 accepts a PID from userspace and requests logging an AUDIT_NS_INFO record type (CAP_AUDIT_CONTROL required). 7/10 is a macro for CLONE_NEW_* flags. 8/10 adds auditing on creation of namespace(s) in fork. 9/10 adds auditing a change of namespace on setns. 10/10 attaches a AUDIT_NS_INFO record to AUDIT_VIRT_CONTROL records (CAP_AUDIT_WRITE required). v5 -> v6: Switch to using namespace ID based on namespace proc inode minus base offset Added proc device ID to qualify proc inode reference Eliminate exposed /proc interface v4 -> v5: Clean up prototypes for dependencies on CONFIG_NAMESPACES. Add AUDIT_NS_INFO record type to AUDIT_VIRT_CONTROL record. Log AUDIT_NS_INFO with PID. Move /proc/<pid>/ns_* patches to end of patchset to deprecate them. Log on changing ns (setns). Log on creating new namespaces when forking. Added a macro for CLONE_NEW*. v3 -> v4: Seperate out the NS_INFO message from the SYSCALL message. Moved audit_log_namespace_info() out of audit_log_task_info(). Use a seperate message type per namespace type for each of INIT/DEL. Make ns= easier to search across NS_INFO and NS_INIT/DEL_XXX msg types. Add /proc/<pid>/ns/ documentation. Fix dynamic initial ns logging. v2 -> v3: Use atomic64_t in ns_serial to simplify it. Avoid funciton duplication in proc, keying on dentry. Squash down audit patch to avoid rcu sleep issues. Add tracking for creation and deletion of namespace instances. v1 -> v2: Avoid rollover by switching from an int to a long long. Change rollover behaviour from simply avoiding zero to raising a BUG. Expose serial numbers in /proc/<pid>/ns/*_snum. Expose ns_entries and use it in audit. Notes: As for CAP_AUDIT_READ, a patchset has been accepted upstream to check capabilities of userspace processes that try to join netlink broadcast groups. This set does not try to solve the non-init namespace audit messages and auditd problem yet. That will come later, likely with additional auditd instances running in another namespace with a limited ability to influence the master auditd. I echo Eric B's idea that messages destined for different namespaces would have to be tailored for that namespace with references that make sense (such as the right pid number reported to that pid namespace, and not leaking info about parents or peers). Questions: Is there a way to link serial numbers of namespaces involved in migration of a container to another kernel? It sounds like what is needed is a part of a mangement application that is able to pull the audit records from constituent hosts to build an audit trail of a container. What additional events should list this information? Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL (and now CAP_AUDIT_READ) in init_user_ns can get to this information in the init namespace at the moment from audit. Richard Guy Briggs (10): namespaces: expose ns_entries proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST audit: log namespace ID numbers audit: initialize at subsystem time rather than device time audit: log creation and deletion of namespace instances audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO sched: add a macro to ref all CLONE_NEW* flags fork: audit on creation of new namespace(s) audit: log on switching namespace (setns) audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record fs/namespace.c | 13 +++ fs/proc/generic.c | 3 +- fs/proc/namespaces.c | 2 +- include/linux/audit.h | 20 +++++ include/linux/proc_ns.h | 10 ++- include/uapi/linux/audit.h | 21 +++++ include/uapi/linux/sched.h | 6 ++ ipc/namespace.c | 12 +++ kernel/audit.c | 169 +++++++++++++++++++++++++++++++++++++- kernel/auditsc.c | 2 + kernel/fork.c | 3 + kernel/nsproxy.c | 4 + kernel/pid_namespace.c | 13 +++ kernel/user_namespace.c | 13 +++ kernel/utsname.c | 12 +++ net/core/net_namespace.c | 12 +++ security/integrity/ima/ima_api.c | 2 + 17 files changed, 309 insertions(+), 8 deletions(-)
WARNING: multiple messages have this Message-ID (diff)
From: Richard Guy Briggs <rgb@redhat.com> To: containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com Cc: Richard Guy Briggs <rgb@redhat.com>, sgrubb@redhat.com, eparis@parisplace.org, pmoore@redhat.com, arozansk@redhat.com, ebiederm@xmission.com, serge@hallyn.com, zohar@linux.vnet.ibm.com Subject: [PATCH V6 00/10] namespaces: log namespaces per task Date: Fri, 17 Apr 2015 03:35:47 -0400 [thread overview] Message-ID: <cover.1429252659.git.rgb@redhat.com> (raw) The purpose is to track namespace instances in use by logged processes from the perspective of init_*_ns by logging the namespace IDs (device ID and namespace inode - offset). 1/10 exposes proc's ns entries structure which lists a number of useful operations per namespace type for other subsystems to use. 2/10 proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST 3/10 provides an example of usage for audit_log_task_info() which is used by syscall audits, among others. audit_log_task() and audit_common_recv_message() would be other potential use cases. Proposed output format: This differs slightly from Aristeu's patch because of the label conflict with "pid=" due to including it in existing records rather than it being a seperate record. It has now returned to being a seperate record. The proc device major/minor are listed in hexadecimal and namespace IDs are the proc inode minus the base offset. type=NS_INFO msg=audit(1408577535.306:82): dev=00:03 netns=3 utsns=-3 ipcns=-4 pidns=-1 userns=-2 mntns=0 4/10 change audit startup from __initcall to subsys_initcall to get it started earlier to be able to receive initial namespace log messages. 5/10 tracks the creation and deletion of namespaces, listing the type of namespace instance, proc device ID, related namespace id if there is one and the newly minted namespace ID. Proposed output format for initial namespace creation: type=AUDIT_NS_INIT_UTS msg=audit(1408577534.868:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_utsns=(none) utsns=-3 res=1 type=AUDIT_NS_INIT_USER msg=audit(1408577534.868:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_userns=(none) userns=-2 res=1 type=AUDIT_NS_INIT_PID msg=audit(1408577534.868:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_pidns=(none) pidns=-1 res=1 type=AUDIT_NS_INIT_MNT msg=audit(1408577534.868:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_mntns=(none) mntns=0 res=1 type=AUDIT_NS_INIT_IPC msg=audit(1408577534.868:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_ipcns=(none) ipcns=-4 res=1 type=AUDIT_NS_INIT_NET msg=audit(1408577533.500:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel dev=00:03 old_netns=(none) netns=2 res=1 And a CLONE action would result in: type=type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 dev=00:03 old_netns=2 netns=3 res=1 While deleting a namespace would result in: type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 dev=00:03 mntns=4 res=1 6/10 accepts a PID from userspace and requests logging an AUDIT_NS_INFO record type (CAP_AUDIT_CONTROL required). 7/10 is a macro for CLONE_NEW_* flags. 8/10 adds auditing on creation of namespace(s) in fork. 9/10 adds auditing a change of namespace on setns. 10/10 attaches a AUDIT_NS_INFO record to AUDIT_VIRT_CONTROL records (CAP_AUDIT_WRITE required). v5 -> v6: Switch to using namespace ID based on namespace proc inode minus base offset Added proc device ID to qualify proc inode reference Eliminate exposed /proc interface v4 -> v5: Clean up prototypes for dependencies on CONFIG_NAMESPACES. Add AUDIT_NS_INFO record type to AUDIT_VIRT_CONTROL record. Log AUDIT_NS_INFO with PID. Move /proc/<pid>/ns_* patches to end of patchset to deprecate them. Log on changing ns (setns). Log on creating new namespaces when forking. Added a macro for CLONE_NEW*. v3 -> v4: Seperate out the NS_INFO message from the SYSCALL message. Moved audit_log_namespace_info() out of audit_log_task_info(). Use a seperate message type per namespace type for each of INIT/DEL. Make ns= easier to search across NS_INFO and NS_INIT/DEL_XXX msg types. Add /proc/<pid>/ns/ documentation. Fix dynamic initial ns logging. v2 -> v3: Use atomic64_t in ns_serial to simplify it. Avoid funciton duplication in proc, keying on dentry. Squash down audit patch to avoid rcu sleep issues. Add tracking for creation and deletion of namespace instances. v1 -> v2: Avoid rollover by switching from an int to a long long. Change rollover behaviour from simply avoiding zero to raising a BUG. Expose serial numbers in /proc/<pid>/ns/*_snum. Expose ns_entries and use it in audit. Notes: As for CAP_AUDIT_READ, a patchset has been accepted upstream to check capabilities of userspace processes that try to join netlink broadcast groups. This set does not try to solve the non-init namespace audit messages and auditd problem yet. That will come later, likely with additional auditd instances running in another namespace with a limited ability to influence the master auditd. I echo Eric B's idea that messages destined for different namespaces would have to be tailored for that namespace with references that make sense (such as the right pid number reported to that pid namespace, and not leaking info about parents or peers). Questions: Is there a way to link serial numbers of namespaces involved in migration of a container to another kernel? It sounds like what is needed is a part of a mangement application that is able to pull the audit records from constituent hosts to build an audit trail of a container. What additional events should list this information? Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL (and now CAP_AUDIT_READ) in init_user_ns can get to this information in the init namespace at the moment from audit. Richard Guy Briggs (10): namespaces: expose ns_entries proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST audit: log namespace ID numbers audit: initialize at subsystem time rather than device time audit: log creation and deletion of namespace instances audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO sched: add a macro to ref all CLONE_NEW* flags fork: audit on creation of new namespace(s) audit: log on switching namespace (setns) audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record fs/namespace.c | 13 +++ fs/proc/generic.c | 3 +- fs/proc/namespaces.c | 2 +- include/linux/audit.h | 20 +++++ include/linux/proc_ns.h | 10 ++- include/uapi/linux/audit.h | 21 +++++ include/uapi/linux/sched.h | 6 ++ ipc/namespace.c | 12 +++ kernel/audit.c | 169 +++++++++++++++++++++++++++++++++++++- kernel/auditsc.c | 2 + kernel/fork.c | 3 + kernel/nsproxy.c | 4 + kernel/pid_namespace.c | 13 +++ kernel/user_namespace.c | 13 +++ kernel/utsname.c | 12 +++ net/core/net_namespace.c | 12 +++ security/integrity/ima/ima_api.c | 2 + 17 files changed, 309 insertions(+), 8 deletions(-)
next reply other threads:[~2015-04-17 7:35 UTC|newest] Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-04-17 7:35 Richard Guy Briggs [this message] 2015-04-17 7:35 ` [PATCH V6 00/10] namespaces: log namespaces per task Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 08/10] fork: audit on creation of new namespace(s) Richard Guy Briggs [not found] ` <cover.1429252659.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2015-04-17 7:35 ` [PATCH V6 01/10] namespaces: expose ns_entries Richard Guy Briggs 2015-04-17 7:35 ` Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 02/10] proc_ns: define PROC_*_INIT_INO in terms of PROC_DYNAMIC_FIRST Richard Guy Briggs 2015-04-17 7:35 ` Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 03/10] audit: log namespace ID numbers Richard Guy Briggs 2015-04-17 7:35 ` Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 04/10] audit: initialize at subsystem time rather than device time Richard Guy Briggs 2015-04-17 7:35 ` Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 05/10] audit: log creation and deletion of namespace instances Richard Guy Briggs 2015-04-17 7:35 ` Richard Guy Briggs [not found] ` <11270b0b1afd0a25b108915673e1e1b38dfeeafa.1429252659.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2015-05-05 14:22 ` Steve Grubb 2015-05-05 14:22 ` Steve Grubb 2015-05-05 14:31 ` Aristeu Rozanski 2015-05-05 14:31 ` Aristeu Rozanski [not found] ` <20150505143119.GA4350-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2015-05-05 14:46 ` Steve Grubb 2015-05-05 14:46 ` Steve Grubb 2015-05-05 14:56 ` Eric W. Biederman 2015-05-05 14:56 ` Eric W. Biederman [not found] ` <87pp6fhy4c.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> 2015-05-05 15:16 ` Steve Grubb 2015-05-05 15:16 ` Steve Grubb 2015-05-12 19:57 ` Richard Guy Briggs 2015-05-12 19:57 ` Richard Guy Briggs [not found] ` <20150512195759.GA9832-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> 2015-05-14 14:57 ` Steve Grubb 2015-05-14 14:57 ` Steve Grubb 2015-05-14 14:57 ` Steve Grubb 2015-05-14 15:12 ` LC Bruzenak 2015-05-14 15:42 ` Eric W. Biederman 2015-05-14 15:42 ` Eric W. Biederman [not found] ` <87iobvnp1t.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> 2015-05-14 16:21 ` Steve Grubb 2015-05-14 16:21 ` Steve Grubb 2015-05-14 16:36 ` LC Bruzenak 2015-05-15 2:03 ` Richard Guy Briggs 2015-05-15 2:03 ` Richard Guy Briggs 2015-05-15 2:03 ` Richard Guy Briggs 2015-05-14 15:42 ` Eric W. Biederman 2015-05-14 19:19 ` Paul Moore 2015-05-15 1:31 ` Eric W. Biederman 2015-05-15 1:31 ` Eric W. Biederman 2015-05-15 1:31 ` Eric W. Biederman [not found] ` <87bnhmbp8e.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> 2015-05-15 2:25 ` Richard Guy Briggs 2015-05-15 13:17 ` Steve Grubb 2015-05-15 21:01 ` Paul Moore 2015-05-15 2:25 ` Richard Guy Briggs 2015-05-15 13:17 ` Steve Grubb 2015-05-15 13:17 ` Steve Grubb 2015-05-15 14:51 ` Eric W. Biederman 2015-05-15 14:51 ` Eric W. Biederman 2015-05-15 21:01 ` Paul Moore 2015-05-15 2:32 ` Richard Guy Briggs [not found] ` <20150515023221.GC965-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> 2015-05-15 6:23 ` Andy Lutomirski 2015-05-15 6:23 ` Andy Lutomirski 2015-05-15 6:23 ` Andy Lutomirski [not found] ` <CALCETrWzM4+Vs8OVJWBcWJfbR_DRSb+e7SmUyy6CS4sHQaTkRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2015-05-15 12:38 ` Steve Grubb 2015-05-15 12:38 ` Steve Grubb 2015-05-15 13:17 ` Andy Lutomirski 2015-05-15 13:17 ` Andy Lutomirski 2015-05-15 21:05 ` Paul Moore 2015-05-15 21:05 ` Paul Moore 2015-05-16 9:46 ` Daniel J Walsh 2015-05-16 9:46 ` Daniel J Walsh 2015-05-16 12:16 ` Paul Moore 2015-05-16 14:46 ` Eric W. Biederman 2015-05-16 14:46 ` Eric W. Biederman 2015-05-16 14:46 ` Eric W. Biederman [not found] ` <87r3qgpol6.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> 2015-05-16 22:49 ` Paul Moore 2015-05-16 22:49 ` Paul Moore 2015-05-16 22:49 ` Paul Moore 2015-05-19 13:09 ` Richard Guy Briggs [not found] ` <20150519130911.GB20131-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> 2015-05-19 14:27 ` Paul Moore 2015-05-19 14:27 ` Paul Moore [not found] ` <CAHC9VhQs6pxFC3dvZic5XzuJr1xdJZyPjXdBoipwY3OOkng0ng-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2015-05-19 13:09 ` Richard Guy Briggs [not found] ` <CAHC9VhRKSK9=9qPF3dgALS=x1g3LinNeQvuhNV5TvQ=D7Szuag-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2015-05-16 14:46 ` Eric W. Biederman [not found] ` <555711FA.50703-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2015-05-16 12:16 ` Paul Moore 2015-05-15 2:32 ` Richard Guy Briggs 2015-05-14 19:19 ` Paul Moore 2015-05-15 0:48 ` Richard Guy Briggs 2015-05-15 0:48 ` Richard Guy Briggs 2015-05-15 0:48 ` Richard Guy Briggs 2015-05-15 20:26 ` Paul Moore [not found] ` <20150515004855.GB10526-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> 2015-05-15 1:10 ` Oren Laadan 2015-05-15 2:11 ` Richard Guy Briggs 2015-05-15 2:11 ` Richard Guy Briggs [not found] ` <20150515021126.GA965-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> 2015-05-15 13:19 ` Daniel J Walsh 2015-05-15 13:19 ` Daniel J Walsh [not found] ` <CAA4jN2bgynVTwF+owtXgq06JMLQJpy_qokpD0mAguNYeDxmh1A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2015-05-15 2:11 ` Richard Guy Briggs 2015-05-15 20:42 ` Paul Moore 2015-05-15 20:42 ` Paul Moore 2015-05-15 20:42 ` Paul Moore 2015-05-15 20:26 ` Paul Moore 2015-05-12 19:57 ` Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 06/10] audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO Richard Guy Briggs 2015-04-17 7:35 ` Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 07/10] sched: add a macro to ref all CLONE_NEW* flags Richard Guy Briggs 2015-04-17 7:35 ` Richard Guy Briggs [not found] ` <cf1ed24f71743ea7f85682f26f3185202a1f8a32.1429252659.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 2015-04-17 8:18 ` Peter Zijlstra 2015-04-17 8:18 ` Peter Zijlstra [not found] ` <20150417081843.GE23123-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org> 2015-04-17 15:42 ` Richard Guy Briggs 2015-04-17 15:42 ` Richard Guy Briggs [not found] ` <20150417154250.GA26233-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> 2015-04-17 17:41 ` Peter Zijlstra 2015-04-17 17:41 ` Peter Zijlstra [not found] ` <20150417174131.GL23123-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org> 2015-04-17 22:00 ` Richard Guy Briggs 2015-04-17 22:00 ` Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 08/10] fork: audit on creation of new namespace(s) Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 09/10] audit: log on switching namespace (setns) Richard Guy Briggs 2015-04-17 7:35 ` Richard Guy Briggs 2015-04-17 7:35 ` [PATCH V6 10/10] audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record Richard Guy Briggs 2015-04-17 7:35 ` Richard Guy Briggs 2015-04-21 4:33 ` [PATCH V6 00/10] namespaces: log namespaces per task Eric W. Biederman 2015-04-21 4:33 ` Eric W. Biederman [not found] ` <87vbgqw163.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> 2015-04-23 3:07 ` Richard Guy Briggs 2015-04-23 3:07 ` Richard Guy Briggs 2015-04-23 20:44 ` Richard Guy Briggs [not found] ` <20150423204429.GA25794-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> 2015-04-24 19:36 ` Eric W. Biederman 2015-04-24 19:36 ` Eric W. Biederman [not found] ` <87bnid9v4f.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> 2015-04-28 2:05 ` Richard Guy Briggs 2015-04-28 2:05 ` Richard Guy Briggs [not found] ` <20150428020555.GB20713-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> 2015-04-28 2:16 ` Eric W. Biederman 2015-04-28 2:16 ` Eric W. Biederman 2015-05-08 14:42 ` Richard Guy Briggs [not found] ` <87zj5tgfpb.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> 2015-05-08 14:42 ` Richard Guy Briggs [not found] ` <20150423030751.GA6712-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> 2015-04-23 20:44 ` Richard Guy Briggs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=cover.1429252659.git.rgb@redhat.com \ --to=rgb-h+wxahxf7alqt0dzr+alfa@public.gmane.org \ --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \ --cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \ --cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \ --cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \ --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \ --cc=sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \ --cc=zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.