From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process Date: Tue, 22 May 2018 14:59:38 -0400 Message-ID: References: <1081821010c124fe4e35984ec3dac1654453bb7c.1521179281.git.rgb@redhat.com> <3001737.MkQ41rgtZF@x2> <87muwshl4z.fsf@xmission.com> <20180522173541.slcdszumi7q6c4id@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20180522173541.slcdszumi7q6c4id-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Richard Guy Briggs Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org, jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, LKML , dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, "Eric W. Biederman" , simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Eric Paris , Steve Grubb , viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org List-Id: linux-api@vger.kernel.org On Tue, May 22, 2018 at 1:35 PM, Richard Guy Briggs wrote: > On 2018-05-21 16:06, Paul Moore wrote: >> On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman wrote: >> > Steve Grubb writes: >> >> On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote: >> >>> Add support for reading the container ID from the proc filesystem. >> >> >> >> I think this could be useful in general. Please consider this to be part of >> >> the full patch set and not something merely used to debug the patches. >> > >> > Only with an audit specific name. >> > >> > As it is: >> > >> > Nacked-by: "Eric W. Biederman" >> > >> > The truth is the containerid name really stinks and is quite confusing >> > and does not imply that the label applies only to audit. And little >> > things like this make me extremely uncofortable with it. >> >> It also makes the audit container ID (notice how I *always* call it >> the *audit* container ID? that is not an accident) available for >> userspace applications to abuse. Perhaps in the future we can look at >> ways to make this more available to applications, but this patch is >> not the answer. > > Do you have a productive suggestion? I haven't given it much thought beyond our discussions and until we get the basic audit container ID support in place (all the other parts of this patchset) I doubt I'll be giving it much thought. -- paul moore www.paul-moore.com