From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <1508263063.3129.35.camel@HansenPartnership.com> Subject: Re: RFC(v2): Audit Kernel Container IDs From: James Bottomley To: Steve Grubb , Casey Schaufler Cc: mszeredi@redhat.com, David Howells , Andy Lutomirski , jlayton@redhat.com, Carlos O'Donell , Linux API , Linux Containers , Linux Kernel , Eric Paris , linux-audit@redhat.com, "Eric W. Biederman" , Simo Sorce , cgroups@vger.kernel.org, Linux FS Devel , trondmy@primarydata.com, Linux Network Development , Al Viro Date: Tue, 17 Oct 2017 10:57:43 -0700 In-Reply-To: <1982291.vr6V9CPzqu@x2> References: <20171012141359.saqdtnodwmbz33b2@madcap2.tricolour.ca> <1508255091.3129.27.camel@HansenPartnership.com> <1982291.vr6V9CPzqu@x2> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: On Tue, 2017-10-17 at 13:15 -0400, Steve Grubb wrote: > On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote: > > > > > > > > The idea is that processes spawned into a container would be > > > labelled by the container orchestration system.  It's unclear > > > what should happen to processes using nsenter after the fact, but > > > policy for that should be up to the orchestration system. > > > > I'm fine with that. The user space policy can be anything y'all > > like. > > I think there should be a login event. I thought you wanted this for containers?  Container creation doesn't have login events.  In an unprivileged orchestration system it may be hard to synthetically manufacture them. James