Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp717507imm;
        Mon, 21 May 2018 13:07:07 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoQ8OjinflSFSmaWbY9V9tIaXpaKVgz/1/VAKAxsN/t7zuXCMGD9nNAH5tRHH50AA9hmGYI
X-Received: by 2002:a63:ac1a:: with SMTP id v26-v6mr17082963pge.105.1526933227133;
        Mon, 21 May 2018 13:07:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526933227; cv=none;
        d=google.com; s=arc-20160816;
        b=lbMAgXiMa3v+3qdZL1MGt6WXmMH0r0ewTLd9CqiGBiE+dqXPdhKRC04eebFo+TD6Ks
         Kfo02OYuuufc4x/mKt4VjRp6Rvwu7kHJ9Tfa85/W5GjVhSBbSVmDLDaQwri2wzgA6IZj
         hbc04L4elYlsFvfWYc1cJIRZTdWGrl0Y0GHJhfGGBrWmAUrDznxB5oe9QGxC0bnCLI8j
         wDPJJ2yw88tP0ip5ro+u/a7lpBtRLaRBOWCIQGepiweuHcmE/dJ+KrB5na8+GGV7Bv6Z
         GINu/dgLrLED3ZJwWfRVjhOuD+LTi+xOSbvFOXvkSoluduG2ZDgLuYSTwnpyF4TWSLKL
         i2tQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=At76K3wUpvoIaCNbNvWJmhbVGB8XkZ/Loy1JUBm7/Dw=;
        b=LyMAw8WnSdianhkqbtD6fd83n8RB3Mo1XikLmJXo1sPiw0SBn8py56AA66KL9RUFf8
         JjiVTybsYATFmph9Nr0PxD/yNE2Ol0eTwn9BmQpc8x8MtKQi9bF/kK43yKMXu4yl/rq2
         jd/q0RrhCnCGcWrxV3LEvC3NWJlHRH2KERyUk0M0vXGtOgZe9PgF41mXUm3fycaT342g
         OLrPuNgPEB22HOl7o7bEbUwvTDsZ033/NTOhPVVUl9Z3NFXKfLrzuUZ3DndC5rzax7H/
         wXiWPXPx3bfusjz3hFTNw3sT3SzlZS29DlVKiLwwbihxetHB9vKUNVo/sVtZt2/E13ni
         TjTQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=NqpDI/jM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 73-v6si15608514pld.217.2018.05.21.13.06.49;
        Mon, 21 May 2018 13:07:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=NqpDI/jM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1750993AbeEUUGh (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Mon, 21 May 2018 16:06:37 -0400
Received: from mail-lf0-f65.google.com ([209.85.215.65]:44148 "EHLO
        mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751019AbeEUUGd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 May 2018 16:06:33 -0400
Received: by mail-lf0-f65.google.com with SMTP id h197-v6so25679377lfg.11
        for <linux-kernel@vger.kernel.org>; Mon, 21 May 2018 13:06:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=At76K3wUpvoIaCNbNvWJmhbVGB8XkZ/Loy1JUBm7/Dw=;
        b=NqpDI/jMC40EDXSqhz/DNsXfQ2R8sRID13kzz6pw0XQRPQJktdXJwRLugm5lDP8ibq
         jepoWZODgWEdnK3Fn8X7cLcngkggcBawwuWptO6y9/WXcj3w38VriYxKB7WV5q1zra4f
         BOZzfieE3ZyPIkA5AzJMLFoHRE5QsT23VgufuXZIeXVv/6e26Ga4yKxIw0FOmK49WRcn
         oG6J48G1kYFTcpDbPfnd4ZxclDb19hNObLmPBvZrlYq545bjCvfhZcoQBV7MS1YS0XsP
         E604g78hWXP7feqcAACQUr8UIE6Wet1jchbCMGvdIXuuYf0C17uZzkjU2ypU7RsZoN6u
         D6GQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=At76K3wUpvoIaCNbNvWJmhbVGB8XkZ/Loy1JUBm7/Dw=;
        b=Zd3UaTpFoZIw7jfmpTpgkn3WKtDfkZPq37emBqpTcTvM1sCdhTLv3d2KdpajRKYsSv
         6KqLNobb2qUeeMnT/szPYerpmKX3C4V45hfguHuu5+Y/PK9f35pqZeCSAMAdC1aZ9FFp
         mJaiV1hg1oeXZGib9+a826+NkqXFlMngg5vAW4WQ4TuS5EHWTo/ctSVVc4zEk+VnqcBo
         t5lbFnmN22T5H1Sr4H5Jh+uehSSIYC0LwtzjhO7ctcjNnf8v72rDjhIH1RvCfXJBxvgS
         yGOazEW07/eLPrChqY73GTaTkqLZcEBJRru32ni74bJGTCKTKRiAGx+jGYBVdSr/6OR3
         nAsQ==
X-Gm-Message-State: ALKqPwfHoOsDwS/FbltW/2FRPOPs0no7KLtJ/QtnbFe5NXPW2krDwInE
        H06sdn7ITghJx0DsyxKmBIKGUZLeKSbBaHhxbStg
X-Received: by 2002:a19:a70f:: with SMTP id q15-v6mr17765512lfe.39.1526933192335;
 Mon, 21 May 2018 13:06:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:a947:0:0:0:0:0 with HTTP; Mon, 21 May 2018 13:06:31
 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <87muwshl4z.fsf@xmission.com>
References: <cover.1521179281.git.rgb@redhat.com> <1081821010c124fe4e35984ec3dac1654453bb7c.1521179281.git.rgb@redhat.com>
 <3001737.MkQ41rgtZF@x2> <87muwshl4z.fsf@xmission.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Mon, 21 May 2018 16:06:31 -0400
Message-ID: <CAHC9VhQruN88t-R9Qo3e4hwCZ58RAyrmEmH1nY4RR6NZaiBzGQ@mail.gmail.com>
Subject: Re: [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process
To:     "Eric W. Biederman" <ebiederm@xmission.com>,
        Steve Grubb <sgrubb@redhat.com>,
        Richard Guy Briggs <rgb@redhat.com>
Cc:     simo@redhat.com, jlayton@redhat.com, linux-api@vger.kernel.org,
        containers@lists.linux-foundation.org,
        LKML <linux-kernel@vger.kernel.org>,
        Eric Paris <eparis@parisplace.org>, dhowells@redhat.com,
        carlos@redhat.com, linux-audit@redhat.com, viro@zeniv.linux.org.uk,
        luto@kernel.org, netdev@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org,
        serge@hallyn.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
> Steve Grubb <sgrubb@redhat.com> writes:
>
>> On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote:
>>> Add support for reading the container ID from the proc filesystem.
>>
>> I think this could be useful in general. Please consider this to be part of
>> the full patch set and not something merely used to debug the patches.
>
> Only with an audit specific name.
>
> As it is:
>
> Nacked-by: "Eric W. Biederman" <ebiederm@xmission.com>
>
> The truth is the containerid name really stinks and is quite confusing
> and does not imply that the label applies only to audit.  And little
> things like this make me extremely uncofortable with it.

It also makes the audit container ID (notice how I *always* call it
the *audit* container ID? that is not an accident) available for
userspace applications to abuse.  Perhaps in the future we can look at
ways to make this more available to applications, but this patch is
not the answer.

-- 
paul moore
www.paul-moore.com