Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2020002imd; Sun, 28 Oct 2018 00:55:29 -0700 (PDT) X-Google-Smtp-Source: AJdET5eSTT+ALI8NZhPutULIS+VB68wPzA6xis3+DzEWqwIi5llcFRD+2OSAIjnKS0Tj0uAw/QKo X-Received: by 2002:a17:902:8eca:: with SMTP id x10-v6mr9773586plo.336.1540713329117; Sun, 28 Oct 2018 00:55:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540713329; cv=none; d=google.com; s=arc-20160816; b=MuBbE5MSYa/ThA6dLq9f+1wGBMzgs1mI2lL0BkglSX9CCAvtW8QJ2XaVMCCgOAMKsP 7qfmS5TpRIdc5TUQMYurH7qpQwF9Vg/jHodXgCriB9is4fALfQJXzz52hVpPkYjMsWAF +sEALSwD8csSy1TvBZhK1ljrsDMRdQ7oFMQmsT66A05mPakZMXBOY3J6hH+CzhWtYK8n bnETBc1q5MG3A0ZiCX94Bbi5CHp0HYYxtMOM7JZTmwoEkFFMd+mMsZ9dVmxf1tyw37iN MT22PBX45ZXcWbQytiIZOfwp0ONmHDr7vLg2KBlc7NUM2pDWE4I6BbC08ivzQkUIXRt4 EYVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=kuPtY+ZtKT0P2eAJ2ZJMRLl5qcsUtziYwBL9mBEsRyg=; b=hNfLYaNtCQnPpIxZaPL/D6NW4e0qtWtypRqJLwftwlM4SOUxdMi4m3+fTQeXKpPiXD aqW6OY/qOjnUen5IEzL5o+MLSxhIrppaLmxk9OL9mUlPrYD7uadKwo6bd+stbzNF+7z8 hdDipPHOg41+naoSPBgf2cuVoHGFGLOFvAYyLSsZ78o9vHZ8jiV0Y2JhdPpU1Rd8DPzJ At2zyZm/MdITLbUdSWgILbQGWbnXJ2IuilVYyRwZZKEM4oFGJGxt5H0uddFtoOCm90Ar VnMuM96kR+CgwcoEZmz9Smu1nVgMbTc5og8u3WFzNHS8NHzeGOWRe0562AcmRI6aF9ws Yq6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T1nvellw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z2-v6si17416132pgj.212.2018.10.28.00.55.13; Sun, 28 Oct 2018 00:55:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=T1nvellw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728127AbeJ1Qhv (ORCPT + 99 others); Sun, 28 Oct 2018 12:37:51 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:38101 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728098AbeJ1Qhu (ORCPT ); Sun, 28 Oct 2018 12:37:50 -0400 Received: by mail-lj1-f193.google.com with SMTP id k11-v6so4858750lja.5 for ; Sun, 28 Oct 2018 00:53:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kuPtY+ZtKT0P2eAJ2ZJMRLl5qcsUtziYwBL9mBEsRyg=; b=T1nvellwdNlzjx449QlLB3YprrOk91Vp9PDyrfRFrL0UywbMLC2hwRGMxUOZkCamIN tzug/Swonu0xSR6o9c17U8sFbfc0FqRqg/EsY1YZOpPSno4ykJRce44iLTvQw7mm4MzI wjyUkakCnG97uhOAErIgegoAwhbv3YyvnVIuV1zS2wP4RsZaaLq+W4cugFr/9ykE+WW/ IWvxaGTt5oSUnePXNYrWbTna3AqLuSwbT2WJISJsm+c7jTtIzVk8y3vPuaNV1yqrLGSW ash1wwTbmsVeAGtltRemnusrhEDW2rgMnU9mvxY2nhv4YyrrGgZailWF8eAnFIgilv0F U6+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kuPtY+ZtKT0P2eAJ2ZJMRLl5qcsUtziYwBL9mBEsRyg=; b=ZfUCu8q14Bszs2Z9hE0t/fCyxwp8AcS4WyME+p4NNUN5DBaK7sS0jjZnlSErXZu8cP cP9rISJoRSWvr70EIVW1kOLbJvlMDG/c2tNlaehxZuCjp1ydTEhmy7VNOVLCYTfl45RT Iki6sl0T/N+A40ryfoBA/2Lt9RrzOsvk40OwgmxgTAmD6+jW1CynCXlhNR+Ygcyj6Ojc kDD/K+C/IWxvym0uDFVltEB5g+VXu7i7oykrqFZL2vPdzvkmDJH7GLj6XgzpZyrGEEpn F0lIq1cQv0D5jqtFO68SsgCd5Ax2ZGbHypqNnyiM8bzTp+oXv7T6OP/Cmm0D6DaNvPD4 JTNQ== X-Gm-Message-State: AGRZ1gKwbL4uRN+CvKEzl6o6uFDE9tbiHu9rpoEdAOs3CJLUNPe9SfXX RWwERnuFHGlspBem/SJ174Cki/rF3QmiOPkd0aby X-Received: by 2002:a2e:8884:: with SMTP id k4-v6mr6271463lji.145.1540713235602; Sun, 28 Oct 2018 00:53:55 -0700 (PDT) MIME-Version: 1.0 References: <34017c395d03a213d6b0d49b9964429bd32b283d.1533065887.git.rgb@redhat.com> <20181024151439.lavhanabsyxdrdvo@madcap2.tricolour.ca> <20181025004255.zl7p7j6gztouh2hh@madcap2.tricolour.ca> <20181025080638.771621a3@ivy-bridge> <20181025122732.4j4rbychjse3gemt@madcap2.tricolour.ca> <20181025175745.5b2b13e9@ivy-bridge> <20181025173830.4yklhnrydt5qvr67@madcap2.tricolour.ca> <20181025235527.15a39d75@ivy-bridge> In-Reply-To: From: Paul Moore Date: Sun, 28 Oct 2018 03:53:44 -0400 Message-ID: Subject: Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls To: casey@schaufler-ca.com Cc: sgrubb@redhat.com, luto@kernel.org, rgb@redhat.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk, dhowells@redhat.com, carlos@redhat.com, linux-audit@redhat.com, netfilter-devel@vger.kernel.org, ebiederm@xmission.com, simo@redhat.com, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, Eric Paris , Serge Hallyn Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 26, 2018 at 4:13 AM Casey Schaufler wrote: > On 10/25/2018 2:55 PM, Steve Grubb wrote: > > ... > > And historically speaking setting audit loginuid produces a LOGIN > > event, so it only makes sense to consider binding container ID to > > container as a CONTAINER event. For other supplemental records, we name > > things what they are: PATH, CWD, SOCKADDR, etc. So, CONTAINER_ID makes > > sense. CONTAINER_OP sounds like its for operations on a container. Do > > we have any operations on a container? > > The answer has to be "no", because containers are, by emphatic assertion, > not kernel constructs. Any CONTAINER_OP event has to come from user space. > I think. It is very important that we do not confuse operations on the audit container id with operations on the containers themselves. Of course at a higher level, e.g. audit log analysis, we want to equate the two, and if the container runtime which manages the audit container id is sane that should be a reasonable assumption, but in this particular patchset AUDIT_CONTAINER_OP is referring to operations involving just the audit container id. If there is a need for additional container operation auditing (note well that I did not say audit container id here) then those audit records can, and should, be generated by the container runtime itself, similar to what we do with libvirt for virtualization. -- paul moore www.paul-moore.com