Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S935516Ab3FUF2A (ORCPT <rfc822;w@1wt.eu>);
	Fri, 21 Jun 2013 01:28:00 -0400
Received: from cn.fujitsu.com ([222.73.24.84]:47363 "EHLO song.cn.fujitsu.com"
	rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP
	id S1753874Ab3FUF17 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 21 Jun 2013 01:27:59 -0400
X-IronPort-AV: E=Sophos;i="4.87,910,1363104000"; 
   d="scan'208";a="7624194"
Message-ID: <51C3E182.30902@cn.fujitsu.com>
Date: Fri, 21 Jun 2013 13:15:46 +0800
From: Gao feng <gaofeng@cn.fujitsu.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130402 Thunderbird/17.0.5
MIME-Version: 1.0
To: "Eric W. Biederman" <ebiederm@xmission.com>
CC: Eric Paris <eparis@redhat.com>, containers@lists.linux-foundation.org,
        serge.hallyn@ubuntu.com, linux-kernel@vger.kernel.org,
        linux-audit@redhat.com, matthltc@linux.vnet.ibm.com, sgrubb@redhat.com
Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit
References: <1371606834-5802-1-git-send-email-gaofeng@cn.fujitsu.com> <20130619204927.GJ3212@redhat.com> <1371675095.16587.5.camel@dhcp137-13.rdu.redhat.com> <51C270AF.1080902@cn.fujitsu.com> <51C27266.3060909@cn.fujitsu.com> <87y5a4phlm.fsf@xmission.com>
In-Reply-To: <87y5a4phlm.fsf@xmission.com>
X-MIMETrack: Itemize by SMTP Server on mailserver/fnst(Release 8.5.3|September 15, 2011) at
 2013/06/21 13:13:01,
	Serialize by Router on mailserver/fnst(Release 8.5.3|September 15, 2011) at
 2013/06/21 13:14:18,
	Serialize complete at 2013/06/21 13:14:18
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1976
Lines: 49

On 06/21/2013 06:01 AM, Eric W. Biederman wrote:
> Gao feng <gaofeng@cn.fujitsu.com> writes:
> 
>> On 06/20/2013 11:02 AM, Gao feng wrote:
>>> If we don't tie audit to user namespace, there is still one problem.
>>
>> One more problem. some audit messages are generated by some net subsystem
>> such as netfilter. If we don't tie audit to user namespace, we have no
>> idea where these audit messages should go. there is no relationship between
>> net namespace and audit namespace while we can get user namespace through
>> net user namespace.
> 
> I am in favor of the user namespace tie in.
> 
> I am in favor of running a per user namespace audit filter once per user
> namespace walking up the user namespace hierarchy.  Each filter would
> deliver messages to a different userspace audit daemon.
> 

Agree, this sounds reasonable.

> Until we agreement to go that far I am not certain the kernel generated
> audit messages should go anywhere except to the global audit daemon.

There are some audit messages that we sure where they should go, we can start
from them firstly.

> 
> I think on an individual basis we can look at kernel audit messages and
> see if they should go to just the global user namespace.  Just the user
> namspace of the relevant network stack.  Or if the message should go to
> the audit daemon of every user namespace that is an ancestor of some
> starting user namespace.
> 
> But please let's error on the side of caution here.
> 
> Eric
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/