Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp717507imm; Mon, 21 May 2018 13:07:07 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoQ8OjinflSFSmaWbY9V9tIaXpaKVgz/1/VAKAxsN/t7zuXCMGD9nNAH5tRHH50AA9hmGYI X-Received: by 2002:a63:ac1a:: with SMTP id v26-v6mr17082963pge.105.1526933227133; Mon, 21 May 2018 13:07:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526933227; cv=none; d=google.com; s=arc-20160816; b=lbMAgXiMa3v+3qdZL1MGt6WXmMH0r0ewTLd9CqiGBiE+dqXPdhKRC04eebFo+TD6Ks Kfo02OYuuufc4x/mKt4VjRp6Rvwu7kHJ9Tfa85/W5GjVhSBbSVmDLDaQwri2wzgA6IZj hbc04L4elYlsFvfWYc1cJIRZTdWGrl0Y0GHJhfGGBrWmAUrDznxB5oe9QGxC0bnCLI8j wDPJJ2yw88tP0ip5ro+u/a7lpBtRLaRBOWCIQGepiweuHcmE/dJ+KrB5na8+GGV7Bv6Z GINu/dgLrLED3ZJwWfRVjhOuD+LTi+xOSbvFOXvkSoluduG2ZDgLuYSTwnpyF4TWSLKL i2tQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=At76K3wUpvoIaCNbNvWJmhbVGB8XkZ/Loy1JUBm7/Dw=; b=LyMAw8WnSdianhkqbtD6fd83n8RB3Mo1XikLmJXo1sPiw0SBn8py56AA66KL9RUFf8 JjiVTybsYATFmph9Nr0PxD/yNE2Ol0eTwn9BmQpc8x8MtKQi9bF/kK43yKMXu4yl/rq2 jd/q0RrhCnCGcWrxV3LEvC3NWJlHRH2KERyUk0M0vXGtOgZe9PgF41mXUm3fycaT342g OLrPuNgPEB22HOl7o7bEbUwvTDsZ033/NTOhPVVUl9Z3NFXKfLrzuUZ3DndC5rzax7H/ wXiWPXPx3bfusjz3hFTNw3sT3SzlZS29DlVKiLwwbihxetHB9vKUNVo/sVtZt2/E13ni TjTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=NqpDI/jM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 73-v6si15608514pld.217.2018.05.21.13.06.49; Mon, 21 May 2018 13:07:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=NqpDI/jM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750993AbeEUUGh (ORCPT + 99 others); Mon, 21 May 2018 16:06:37 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:44148 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751019AbeEUUGd (ORCPT ); Mon, 21 May 2018 16:06:33 -0400 Received: by mail-lf0-f65.google.com with SMTP id h197-v6so25679377lfg.11 for ; Mon, 21 May 2018 13:06:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=At76K3wUpvoIaCNbNvWJmhbVGB8XkZ/Loy1JUBm7/Dw=; b=NqpDI/jMC40EDXSqhz/DNsXfQ2R8sRID13kzz6pw0XQRPQJktdXJwRLugm5lDP8ibq jepoWZODgWEdnK3Fn8X7cLcngkggcBawwuWptO6y9/WXcj3w38VriYxKB7WV5q1zra4f BOZzfieE3ZyPIkA5AzJMLFoHRE5QsT23VgufuXZIeXVv/6e26Ga4yKxIw0FOmK49WRcn oG6J48G1kYFTcpDbPfnd4ZxclDb19hNObLmPBvZrlYq545bjCvfhZcoQBV7MS1YS0XsP E604g78hWXP7feqcAACQUr8UIE6Wet1jchbCMGvdIXuuYf0C17uZzkjU2ypU7RsZoN6u D6GQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=At76K3wUpvoIaCNbNvWJmhbVGB8XkZ/Loy1JUBm7/Dw=; b=Zd3UaTpFoZIw7jfmpTpgkn3WKtDfkZPq37emBqpTcTvM1sCdhTLv3d2KdpajRKYsSv 6KqLNobb2qUeeMnT/szPYerpmKX3C4V45hfguHuu5+Y/PK9f35pqZeCSAMAdC1aZ9FFp mJaiV1hg1oeXZGib9+a826+NkqXFlMngg5vAW4WQ4TuS5EHWTo/ctSVVc4zEk+VnqcBo t5lbFnmN22T5H1Sr4H5Jh+uehSSIYC0LwtzjhO7ctcjNnf8v72rDjhIH1RvCfXJBxvgS yGOazEW07/eLPrChqY73GTaTkqLZcEBJRru32ni74bJGTCKTKRiAGx+jGYBVdSr/6OR3 nAsQ== X-Gm-Message-State: ALKqPwfHoOsDwS/FbltW/2FRPOPs0no7KLtJ/QtnbFe5NXPW2krDwInE H06sdn7ITghJx0DsyxKmBIKGUZLeKSbBaHhxbStg X-Received: by 2002:a19:a70f:: with SMTP id q15-v6mr17765512lfe.39.1526933192335; Mon, 21 May 2018 13:06:32 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a947:0:0:0:0:0 with HTTP; Mon, 21 May 2018 13:06:31 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <87muwshl4z.fsf@xmission.com> References: <1081821010c124fe4e35984ec3dac1654453bb7c.1521179281.git.rgb@redhat.com> <3001737.MkQ41rgtZF@x2> <87muwshl4z.fsf@xmission.com> From: Paul Moore Date: Mon, 21 May 2018 16:06:31 -0400 Message-ID: Subject: Re: [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process To: "Eric W. Biederman" , Steve Grubb , Richard Guy Briggs Cc: simo@redhat.com, jlayton@redhat.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, LKML , Eric Paris , dhowells@redhat.com, carlos@redhat.com, linux-audit@redhat.com, viro@zeniv.linux.org.uk, luto@kernel.org, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, serge@hallyn.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman wrote: > Steve Grubb writes: > >> On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote: >>> Add support for reading the container ID from the proc filesystem. >> >> I think this could be useful in general. Please consider this to be part of >> the full patch set and not something merely used to debug the patches. > > Only with an audit specific name. > > As it is: > > Nacked-by: "Eric W. Biederman" > > The truth is the containerid name really stinks and is quite confusing > and does not imply that the label applies only to audit. And little > things like this make me extremely uncofortable with it. It also makes the audit container ID (notice how I *always* call it the *audit* container ID? that is not an accident) available for userspace applications to abuse. Perhaps in the future we can look at ways to make this more available to applications, but this patch is not the answer. -- paul moore www.paul-moore.com