Received: by 10.213.65.68 with SMTP id h4csp728850imn; Wed, 28 Mar 2018 11:40:24 -0700 (PDT) X-Google-Smtp-Source: AIpwx49O7LtmTOVQyHe2XeYKz8pAKR/9DHTg073vWDzk+DVuJiLVnYD9JnzjVm7GdlKgTrTmWVh1 X-Received: by 10.99.115.68 with SMTP id d4mr3339811pgn.145.1522262424926; Wed, 28 Mar 2018 11:40:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522262424; cv=none; d=google.com; s=arc-20160816; b=cdKZA9SiUs2sUzui98L4cKepZw/gCFdyskjs8s3/lbbFBwpvecfNcOIc5/0fkQYCGV KG4Wrq3jFz25QCQizyuThLqgsvzTShJD/1cNnJfLv7wBjN47UbRP97lSbtRPG9bR1kwB C5ZBFh5fSc1JtkVxcxOOkJo0d9EuwbZSsWTJ/wfE8gyPrdwELp7MyEnK0elzNxxS3WEh ABYdJfxql+65Hw5LxS7M/qO94hOUQn5y/XBaP1vtSWoheshyJsKenfeMiNiXwgCfk9qC 891T1owc9rbEz9JHWhJeLFi5sWMIeesxPwfj6RXiKxPKuG6To+kxjBCa6aVlR9pulVjo 610w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:arc-authentication-results; bh=jhdl5ZfZxyfdORtvu07OM6g0zKXW8/WXrkbCJJnZvCM=; b=0M88blTRvOh0bclnEqR2u2Kwz3fD6TX5WqEpt19NXAGHwJJqp4lcgO3JQStWzyLw6V udXWlOajgdN9zJTGV8/4xpmUlvv7Nlrt/R9PSsVnOdcqjJdZTniWGRcgfHWGGknLjiW0 tQ4/7YDgblf+mp837BZonGjckjX3tq3mR/jwsK8tSIHuaI7BFqu+zWsJN030K3dPThmJ rKBWLKCr0JugVxWs74DZbyrcfAUZHM93VCbEe2+QDRNL5m+6eqTw3Y81/wfDGeHsVIz6 aGAACXqS3JyJnRlD1Sr4RkiexcKQDrg3yIsnSHAh3/WIl/3ME3XO1T5AHBTuWrGOI4NE Nsgg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 190si2851117pgi.135.2018.03.28.11.40.10; Wed, 28 Mar 2018 11:40:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753002AbeC1SjR (ORCPT + 99 others); Wed, 28 Mar 2018 14:39:17 -0400 Received: from ms.lwn.net ([45.79.88.28]:38324 "EHLO ms.lwn.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752349AbeC1SjP (ORCPT ); Wed, 28 Mar 2018 14:39:15 -0400 Received: from lwn.net (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ms.lwn.net (Postfix) with ESMTPSA id EBF962C7; Wed, 28 Mar 2018 18:39:13 +0000 (UTC) Date: Wed, 28 Mar 2018 12:39:12 -0600 From: Jonathan Corbet To: Richard Guy Briggs Cc: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, luto@kernel.org, jlayton@redhat.com, carlos@redhat.com, viro@zeniv.linux.org.uk, dhowells@redhat.com, simo@redhat.com, eparis@parisplace.org, serge@hallyn.com, ebiederm@xmission.com, madzcar@gmail.com Subject: Re: [RFC PATCH ghak32 V2 01/13] audit: add container id Message-ID: <20180328123912.49b11c98@lwn.net> In-Reply-To: References: Organization: LWN.net MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 16 Mar 2018 05:00:28 -0400 Richard Guy Briggs wrote: > Implement the proc fs write to set the audit container ID of a process, > emitting an AUDIT_CONTAINER record to document the event. A little detail, but still... > +static int audit_set_containerid_perm(struct task_struct *task, u64 containerid) > +{ > + struct task_struct *parent; > + u64 pcontainerid, ccontainerid; > + > + /* Don't allow to set our own containerid */ > + if (current == task) > + return -EPERM; > + /* Don't allow the containerid to be unset */ > + if (!cid_valid(containerid)) > + return -EINVAL; I went looking for cid_valid(), but it turns out you don't add it until patch 5. That, I expect, will not be good for bisectability (or patch review). Thanks, jon