linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Simo Sorce <simo@redhat.com>
Cc: Steve Grubb <sgrubb@redhat.com>,
	linux-audit@redhat.com, mszeredi@redhat.com,
	cgroups@vger.kernel.org, jlayton@redhat.com,
	Richard Guy Briggs <rgb@redhat.com>,
	Linux API <linux-api@vger.kernel.org>,
	Containers <containers@lists.linux-foundation.org>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	Linux Kernel <linux-kernel@vger.kernel.org>,
	Howells <dhowells@redhat.com>,
	"Carlos O'Donell" <carlos@redhat.com>,
	Linux Network Development <netdev@vger.kernel.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Lutomirski <luto@kernel.org>, Eric Paris <eparis@parisplace.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	trondmy@primarydata.com, Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Wed, 18 Oct 2017 15:58:13 -0400	[thread overview]
Message-ID: <CAHC9VhTBd1pNqavFpQqDHwhW=j7AX8gDL0H_c_VBD07SMMLZmQ@mail.gmail.com> (raw)
In-Reply-To: <1508243469.6230.24.camel@redhat.com>

On Tue, Oct 17, 2017 at 8:31 AM, Simo Sorce <simo@redhat.com> wrote:
> The container Id can be used also for authorization purposes (by other
> processes on the host), not just audit, I think this is why a separate
> control has been proposed.

Apologies, but I'm just now getting a chance to work my way through
this thread, and I wanted to make a quick comment on this point ...

The audit container ID (note I said "audit container ID" not
"container ID") is intended strictly for use by the audit subsystem at
this point.  Allowing other uses opens the door to a larger set of
problems we are trying to avoid (e.g. handling migration across
hosts).  We would love to have a generic kernel facility that the
audit subsystem could use to identify containers, but we don't, and
previous attempts have failed, so we have to create our own.  We are
intentionally trying to limit its scope in an attempt to limit
problems.  If a more general solution appears in the future I think we
would make every effect to migrate to that; keeping this initial
effort small should make that easier.

-- 
paul moore
www.paul-moore.com

  parent reply	other threads:[~2017-10-18 19:58 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-12 14:14 RFC(v2): Audit Kernel Container IDs Richard Guy Briggs
2017-10-12 15:45 ` Steve Grubb
2017-10-19 19:57   ` Richard Guy Briggs
2017-10-19 23:11     ` Aleksa Sarai
2017-10-19 23:15       ` Aleksa Sarai
2017-10-20  2:25       ` Steve Grubb
2017-10-12 16:33 ` Casey Schaufler
2017-10-17  0:33   ` Richard Guy Briggs
2017-10-17  1:10     ` Casey Schaufler
2017-10-19  0:05       ` Richard Guy Briggs
2017-10-19 13:32         ` Casey Schaufler
2017-10-19 15:51           ` Paul Moore
2017-10-17  1:42     ` Steve Grubb
2017-10-17 12:31       ` Simo Sorce
2017-10-17 14:59         ` Casey Schaufler
2017-10-17 15:28           ` Simo Sorce
2017-10-17 15:44             ` James Bottomley
2017-10-17 16:43               ` Casey Schaufler
2017-10-17 17:15                 ` Steve Grubb
2017-10-17 17:57                   ` James Bottomley
2017-10-18  0:23                     ` Steve Grubb
2017-10-18 20:56               ` Paul Moore
2017-10-18 23:46                 ` Aleksa Sarai
2017-10-19  0:43                   ` Eric W. Biederman
2017-10-19 15:36                     ` Paul Moore
2017-10-19 16:25                       ` Eric W. Biederman
2017-10-19 17:47                         ` Paul Moore
2017-10-17 16:10             ` Casey Schaufler
2017-10-18 19:58         ` Paul Moore [this message]
2017-12-09 10:20   ` Mickaël Salaün
2017-12-09 18:28     ` Casey Schaufler
2017-12-11 16:30       ` Eric Paris
2017-12-11 16:52         ` Casey Schaufler
2017-12-11 19:37         ` Steve Grubb
2017-12-11 15:10     ` Richard Guy Briggs
2017-10-12 17:59 ` Eric W. Biederman
2017-10-13 13:43 ` Alan Cox

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhTBd1pNqavFpQqDHwhW=j7AX8gDL0H_c_VBD07SMMLZmQ@mail.gmail.com' \
    --to=paul@paul-moore.com \
    --cc=carlos@redhat.com \
    --cc=cgroups@vger.kernel.org \
    --cc=containers@lists.linux-foundation.org \
    --cc=dhowells@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=eparis@parisplace.org \
    --cc=jlayton@redhat.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mszeredi@redhat.com \
    --cc=netdev@vger.kernel.org \
    --cc=rgb@redhat.com \
    --cc=serge@hallyn.com \
    --cc=sgrubb@redhat.com \
    --cc=simo@redhat.com \
    --cc=trondmy@primarydata.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).