Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1946800imm; Tue, 22 May 2018 12:00:14 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqs/V/b3TZkPxFaOS7e3EO3Ep6KPoVgiN77/JjmHx+KKTHgmHYcb/x57J+pq/HvafpReInh X-Received: by 2002:a62:404f:: with SMTP id n76-v6mr25473440pfa.185.1527015614530; Tue, 22 May 2018 12:00:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527015614; cv=none; d=google.com; s=arc-20160816; b=uujzryknUJYAGkQo7VhSLKYscdhx2nwD190LKqC21OO/7VIvCg9cXGNkS3AI/uQyLh DBjh4rTpg9U8ilxRUG3dK8FgjrndHAgv8xmjLD0iXhA724q6pGJUb7zIhg3QzzULqJ8L s3PDzbTLXQN8qlWSvmXtse4lpNP+XF8E/8NQczOMc7Jep65gzYNLmXVs5My1QPQC0HHo mQ0Je+FlZtwFzY9WHLPBJhlTHQ9Gy72EiqM/m7FhroLS8UyjKqJCNM53dt5c6UmNo4Du ZLSOv/SR4tOdpLhIuexfvplXsd8fBD+LTNsev335FV5Q4QmGTPGx1h0n+7lPdV9Pkkf5 pqyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=nJnbSDqOSKAdNIPEWNDpPhlJzNZwSfguGttoCbpZrP0=; b=zJKwWXDlihO2gDqILXSaoCu1D6iSiuRHHkTOWRqcBPToL+NWORpCZa/H9V/yUOmEE7 CfjUujAXcpgYwlH/HH/kYxfqzX39f+fkS20+WFfpiccBODOQ2NZXBsiqy2Ka1MmV2WY7 jImdTIRoU+iygIfaq2BnfCe0BQRoh4aWaPxE77OJD/7C5XcAuc8wTJilydTiAYKbdlCY mnaqGb/jH4su6MYiTRaTC4WXA+1PC7DyEAAfwceOiF9iqMdnCOntJMbVoIpRYSKU7Knv F6mttMwh4IvfMmiazXBtR1jGUg5oeNruxLkV/oJMdZL3N+ZH6Hn1TtK5FIBJLx02a1tW KCUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=jjmc9qQZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g2-v6si16328743plt.421.2018.05.22.12.00.00; Tue, 22 May 2018 12:00:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=jjmc9qQZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751880AbeEVS7n (ORCPT + 99 others); Tue, 22 May 2018 14:59:43 -0400 Received: from mail-wm0-f68.google.com ([74.125.82.68]:34964 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751708AbeEVS7k (ORCPT ); Tue, 22 May 2018 14:59:40 -0400 Received: by mail-wm0-f68.google.com with SMTP id o78-v6so2677043wmg.0 for ; Tue, 22 May 2018 11:59:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nJnbSDqOSKAdNIPEWNDpPhlJzNZwSfguGttoCbpZrP0=; b=jjmc9qQZERflKkPSdcZn5CzXn8TEuRDZBJwhAB4SZbUSqfsjzvndPkciqOEIwyaGZl kt7olO0F1sfdY9MBYiPG4gl8UobcPpIEUonqYWTaZlNwx2dsYkdHFdcnJkSJ32/sz6ZV bhotB8LgNrQnyDIk9gU2xLIILNfEO5S/wbnVOE4xsj2UT/bUK4v/JXxZiMb/lbHnD5nk Yf/o2aiJr04c0uK/zNQPzNIStqnWDlI/Okogq2/6DDaFcGJk5h6sLH/oFaWxvjk/UioJ omXSptjXytUpiq7CFhJl37OhE/JobdihzWjp2dInjIP6996WiFuXw8P8+XrMS/VMXmI9 P1QQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nJnbSDqOSKAdNIPEWNDpPhlJzNZwSfguGttoCbpZrP0=; b=RZ9TvScDXDInfZGvgP9Uo06RzlpjJdP5129TfMiFtS5CYC71gg7P8Wl0f9EueGLYIa /WvScs5Uxe4qp04ASX+By6t+guePd/X9XZ4dBlgNqwJNsFYu1gakbY9GLBF+Ar96/CvC lqEfGcDWLRw/6wsGaq0D9huxjSgTTg7aImCVK2nsby2KsW1Q+x58nSTp4Q5nwOU7gh84 0QAdHdfft2dfYJPkCzGNPAwL39G4yv90SIAy6ftlny5GIvVn0vZVaWSbjhgWpzSUcd5q Zu6EccoaAC6NVxSCyyZ6FDiqRkhpbPylJI35CNM+6CNuXbwF5g5U0sDCA9R+fNOh0OxH wnqA== X-Gm-Message-State: ALKqPwf8j4Nkn5jYoA7jdc0dUw03/nG6is1IFc/DlFC/vzr856dwO9pi 4BzpJ6LaPacrC8f+SNw3AXbvLPYB3dJOVKQqX1f5 X-Received: by 2002:a2e:8246:: with SMTP id j6-v6mr15586112ljh.72.1527015579125; Tue, 22 May 2018 11:59:39 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a947:0:0:0:0:0 with HTTP; Tue, 22 May 2018 11:59:38 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <20180522173541.slcdszumi7q6c4id@madcap2.tricolour.ca> References: <1081821010c124fe4e35984ec3dac1654453bb7c.1521179281.git.rgb@redhat.com> <3001737.MkQ41rgtZF@x2> <87muwshl4z.fsf@xmission.com> <20180522173541.slcdszumi7q6c4id@madcap2.tricolour.ca> From: Paul Moore Date: Tue, 22 May 2018 14:59:38 -0400 Message-ID: Subject: Re: [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process To: Richard Guy Briggs Cc: "Eric W. Biederman" , Steve Grubb , simo@redhat.com, jlayton@redhat.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, LKML , Eric Paris , dhowells@redhat.com, carlos@redhat.com, linux-audit@redhat.com, viro@zeniv.linux.org.uk, luto@kernel.org, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, cgroups@vger.kernel.org, serge@hallyn.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 22, 2018 at 1:35 PM, Richard Guy Briggs wrote: > On 2018-05-21 16:06, Paul Moore wrote: >> On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman wrote: >> > Steve Grubb writes: >> >> On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote: >> >>> Add support for reading the container ID from the proc filesystem. >> >> >> >> I think this could be useful in general. Please consider this to be part of >> >> the full patch set and not something merely used to debug the patches. >> > >> > Only with an audit specific name. >> > >> > As it is: >> > >> > Nacked-by: "Eric W. Biederman" >> > >> > The truth is the containerid name really stinks and is quite confusing >> > and does not imply that the label applies only to audit. And little >> > things like this make me extremely uncofortable with it. >> >> It also makes the audit container ID (notice how I *always* call it >> the *audit* container ID? that is not an accident) available for >> userspace applications to abuse. Perhaps in the future we can look at >> ways to make this more available to applications, but this patch is >> not the answer. > > Do you have a productive suggestion? I haven't given it much thought beyond our discussions and until we get the basic audit container ID support in place (all the other parts of this patchset) I doubt I'll be giving it much thought. -- paul moore www.paul-moore.com