Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2992488AbbEPJsG (ORCPT ); Sat, 16 May 2015 05:48:06 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57509 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934855AbbEPJqi (ORCPT ); Sat, 16 May 2015 05:46:38 -0400 Message-ID: <555711FA.50703@redhat.com> Date: Sat, 16 May 2015 05:46:34 -0400 From: Daniel J Walsh User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Paul Moore , Andy Lutomirski CC: "Serge E. Hallyn" , Richard Guy Briggs , Linux API , Linux Containers , "linux-kernel@vger.kernel.org" , Al Viro , linux-audit@redhat.com, "Eric W. Biederman" , Network Development , Linux FS Devel , Eric Paris Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances References: <20150515023221.GC965@madcap2.tricolour.ca> <9125391.7ZiCneo6Xn@sifl> In-Reply-To: <9125391.7ZiCneo6Xn@sifl> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2368 Lines: 47 On 05/15/2015 05:05 PM, Paul Moore wrote: > On Thursday, May 14, 2015 11:23:09 PM Andy Lutomirski wrote: >> On Thu, May 14, 2015 at 7:32 PM, Richard Guy Briggs wrote: >>> On 15/05/14, Paul Moore wrote: >>>> * Look at our existing audit records to determine which records should >>>> have >>>> namespace and container ID tokens added. We may only want to add the >>>> additional fields in the case where the namespace/container ID tokens are >>>> not the init namespace. >>> If we have a record that ties a set of namespace IDs with a container >>> ID, then I expect we only need to list the containerID along with auid >>> and sessionID. >> The problem here is that the kernel has no concept of a "container", and I >> don't think it makes any sense to add one just for audit. "Container" is a >> marketing term used by some userspace tools. >> >> I can imagine that both audit could benefit from a concept of a >> namespace *path* that understands nesting (e.g. root/2/5/1 or >> something along those lines). Mapping these to "containers" belongs >> in userspace, I think. > It might be helpful to climb up a few levels in this thread ... > > I think we all agree that containers are not a kernel construct. I further > believe that the kernel has no business generating container IDs, those should > come from userspace and will likely be different depending on how you define > "container". However, what is less clear to me at this point is how the > kernel should handle the setting, reporting, and general management of this > container ID token. > Wouldn't the easiest thing be to just treat add a containerid to the process context like auid. Then make it a privileged operation to set it. Then tools that care about auditing like docker can set the ID and remove the Capability from it sub processes if it cares. All processes adopt parent processes containerid. Now containers can be audited and as long as userspace is written correctly nested containers can either override the containerid or not depending on what the audit rules are. No special handling inside of namespaces. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/