Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp480527ima;
        Fri, 26 Oct 2018 01:15:59 -0700 (PDT)
X-Google-Smtp-Source: AJdET5fq7Ngv//t1zc6lPDxG11zb7VXbdULnlK7ZCNO8eQ+Y89KmQaPaevvBMmgCTkCHjcCNxjBZ
X-Received: by 2002:a17:902:a9c5:: with SMTP id b5-v6mr2562305plr.340.1540541759370;
        Fri, 26 Oct 2018 01:15:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540541759; cv=none;
        d=google.com; s=arc-20160816;
        b=fFZlcZzlrkeEVJd8TmdTwxPobNsJjm6txkwVirG1CzT6CSaWtM+oOMJJ5l2bJmupsT
         UN24Js/ByGoTsu60vTePFWnBslhD4ymLdhCUQcSIhI5gm7q8AXZXA+paEdEApewwbMVV
         PRIhAB3CF8wZWKdFyIHWcUBKJXSS/1r54wK5x8wPl0/WjqDr7fZrHtjkyLsHkqXUiCzl
         lYKvmdUqE6XENGk2GkYcGM8fzkUj6+5369YoztPsrlo/YRjY1BzURhwfbraL3Aws0lFA
         sC5HVj7XD+hfLAm7F/4xYJVWR+xACBGvAPsgVfF3JW23sqFKDQB5D0lsef5Eq56NvJ4j
         sUwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=GediNiVKngPOCK6y+8ihH+VHhd3J7K0rRPl/ZsD5kI0=;
        b=mVekwemk1iFlUEiIlUa71wakoZqEIDm5YpaR7Q8GDHlM3dSSVQJkDeFkjiuSqAWg92
         kzOXcVX7W3/oLNOik527JluMwyhdZ8H5nb62BQCHmw0jV8dOcnZ9rTrQomAKV9C3+ywE
         lRnkm6ioTIDa5ADw7xnVbsuD0OYZ35B7kJQJDg3iEYC4wkwUCZ7w0122jD7Khxe04Npq
         0OKkoeOyeRui7GgOREhYSoWOEAgr6VNx2cKLHgA+3f+3u3INyOvPRWDR1z8+hy+I/Ket
         sYcNpGvEGbhwunN0G8l8Y13u7arWs3KUnBCJw6cXWO5rVkEbcD904gi+C3FLVT7lieK5
         Om6w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@yahoo.com header.s=s2048 header.b=oS8YqKI5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 32-v6si10908455pls.331.2018.10.26.01.15.42;
        Fri, 26 Oct 2018 01:15:59 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@yahoo.com header.s=s2048 header.b=oS8YqKI5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726532AbeJZQtf (ORCPT <rfc822;chenhe.dev@gmail.com>
        + 99 others); Fri, 26 Oct 2018 12:49:35 -0400
Received: from sonic307-1.consmr.mail.ir2.yahoo.com ([87.248.110.121]:35463
        "EHLO sonic307-1.consmr.mail.ir2.yahoo.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726177AbeJZQtf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 Oct 2018 12:49:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1540541609; bh=GediNiVKngPOCK6y+8ihH+VHhd3J7K0rRPl/ZsD5kI0=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=oS8YqKI5RCudKjkx/z0IaB8fxXryRtkDIFieL8cFclsKbUaoGjy360QnP8PTd2KvDfM6orfi/xf3U1KWR+9tF8eLewC7EAPp28IbZDmC8KmBLqaUtUNeoRongVRrd95nPgnahQCck/es5xlddaO8qapRlgoRadlLhvV0lzUfXDRL8RzptLjStYTcKMtJ7XGWKukeP1hOYdFe9/NqlF6L5A1hHBDOssqZpXC7Jx2ik78J7+xmBov4NqgeUVGxLtjFRsLrbj3vfwWtVv6rh8jmcyupcEhcUlourObNx4XpBb/RW5s+2uVsz2U3MNq2iSC7r3WhqIUqXG73gKX2O4K5CQ==
X-YMail-OSG: evZHxPoVM1lbhkO3pKlZ8FEJtt.ARXCATY8IfUx_pmu2WJ21eEIGQKz3iRc7ZM_
 3ViDI9RI0SLPGobHdFMK.BFoce1_BMX7puWrMV7QxOjswuxBgOBB3N4bJAPJhjYqmaJSZph0ITFk
 yN.oRqlauV9EanL_sK5BS6bsHiCCCWjHBz6c69lc8.uPedzXmV0.X.ovkiVWaWa7D35pcoUv.AcG
 VuRBSnEw03988udCdETCHrmLpUecHCkyReoUn3Wyluf4jpaFnQXt92KgKHwEXShBoXYHnvXMGG78
 1QOvTqZJSgHpJtTsYszWEzDGqcvLJ6nhHGkz9pKJVP6cc.yFKatSaJ7qy2naTalnyjtcb3dBy8u9
 AfMW8TazNV4gcMKKQIIyXEYd_aFuAcRZmbAqX1lLf0ANrHFbxeO8zq0r2sS6aMOH2N3JI6.HkYUg
 ZC9y174WA5J31mAFFTt4XtEP2vPryEVH.g_soUzzayVO4khTwfUgxcAtQ_oqZ39R5ZsK.y29z4zW
 bcPt85zLFWS6.2jLAijlvLaKlmNRHls0nO4FMHueiBtqBNFPyOqQj.HRut7jQ1Epin2CdxOKuU.I
 5HSeVQ6HC.XQz05cL_d.cthGdvU2rhrgTh3k2hhGbvpUgXAyzQvsoCzx5VewuOGR2BFns_T0BUmO
 8uWtD4h.Yhy2_2XIti_Nf1CpwNi1GYFEWOjOZtyvyBHK5UywZSzCQ_kIJCBvlvWnpra10192eg3g
 vhjz4Duy9T3EDgEWzM9ol6NJTxxu98W46GSdyrWQUbBtuChCGDjM4mvkZb2NekOoG8EYP9IfQ62C
 ot.cFsoN6PnyqHnon1brCjVgYRZINc6xsGwneiOJXci7_u01LkFgkXlGwZMaKeVi0KNIJxMTgdBT
 gz52S83_4_ptuYlg1IjdKTwbc8XicEJkdpuCtVbpUcAqiXvLAYCWKzBluKbMverZ1s7pNDy4Woci
 ZTMmGApu8Tq_QDfutJM0r_.LS54NQU1IFGZyFVBWTobqSWF2W7Pigy6iKVNL9tw9xndwgJJo5Zfm
 flKHG5pSptdDiHz0tSoxeHVKfu03u8zlLgUVQ6704iDSAvlwGSENlf89MDfloUslhqPeIV9guuXY
 KNfSKQfkA.R8NbQyvOLN4DxjkSN3cBV18Lp3J5zi8EeKnsMXkBB8oYM4qEFDytKbbZxIAcaR_F_C
 J2K295B8-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ir2.yahoo.com with HTTP; Fri, 26 Oct 2018 08:13:29 +0000
Received: from 185.7.230.216 (EHLO [10.101.214.177]) ([185.7.230.216])
          by smtp414.mail.ir2.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID e55f25365a03122d990e2367aad2a64b;
          Fri, 26 Oct 2018 08:09:28 +0000 (UTC)
Subject: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of
 syscalls
To:     Steve Grubb <sgrubb@redhat.com>, Paul Moore <paul@paul-moore.com>
Cc:     luto@kernel.org, rgb@redhat.com, linux-api@vger.kernel.org,
        containers@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk,
        dhowells@redhat.com, carlos@redhat.com, linux-audit@redhat.com,
        netfilter-devel@vger.kernel.org, ebiederm@xmission.com,
        simo@redhat.com, netdev@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, Eric Paris <eparis@parisplace.org>,
        Serge Hallyn <serge@hallyn.com>
References: <cover.1533065887.git.rgb@redhat.com>
 <34017c395d03a213d6b0d49b9964429bd32b283d.1533065887.git.rgb@redhat.com>
 <CAHC9VhSv4hWGHiaaOfuBrRQKdp2YG5RtqXQbFXg7j7LNEhO2XQ@mail.gmail.com>
 <20181024151439.lavhanabsyxdrdvo@madcap2.tricolour.ca>
 <CAHC9VhRF1vsxM-k0Lw-9NqS9b9rgXRRBu0tq4ajdFpMqUxiH4A@mail.gmail.com>
 <20181025004255.zl7p7j6gztouh2hh@madcap2.tricolour.ca>
 <20181025080638.771621a3@ivy-bridge>
 <CAHC9VhR02siURgadQs0EikcOm0d_TPAi4jJYCx4NkA=wQ5rjSA@mail.gmail.com>
 <20181025122732.4j4rbychjse3gemt@madcap2.tricolour.ca>
 <20181025175745.5b2b13e9@ivy-bridge>
 <20181025173830.4yklhnrydt5qvr67@madcap2.tricolour.ca>
 <CAHC9VhScaG8aOFYRV5hPXEKob1QRth5YFEbHNY=ZgKKAKxBBsQ@mail.gmail.com>
 <20181025235527.15a39d75@ivy-bridge>
From:   Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <e1d8a8cf-5013-ffbe-923b-604851de836d@schaufler-ca.com>
Date:   Fri, 26 Oct 2018 01:09:16 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20181025235527.15a39d75@ivy-bridge>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10/25/2018 2:55 PM, Steve Grubb wrote:
> ...
> And historically speaking setting audit loginuid produces a LOGIN
> event, so it only makes sense to consider binding container ID to
> container as a CONTAINER event. For other supplemental records, we name
> things what they are: PATH, CWD, SOCKADDR, etc. So, CONTAINER_ID makes
> sense. CONTAINER_OP sounds like its for operations on a container. Do
> we have any operations on a container?

The answer has to be "no", because containers are, by emphatic assertion,
not kernel constructs. Any CONTAINER_OP event has to come from user space.
I think.