Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2437378yba; Mon, 22 Apr 2019 06:52:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqyF6tkjFLGCvR071c1DCcPnU91NuG3nLTUkWsq36Jp6bqZ00Jw8x51TKLPj8zbB+41JuJAn X-Received: by 2002:a65:62cc:: with SMTP id m12mr19220537pgv.118.1555941127465; Mon, 22 Apr 2019 06:52:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555941127; cv=none; d=google.com; s=arc-20160816; b=DXUTFRQz/3oMRGYVvSfrutuJ8xD2w7P/Z3Z/lOo2m7rKsh/1cFwSwlzHYeDYK/ZZf8 M87bPQ/h+YbKbRLQk4rN+I0zT54MJvYhAEQ7ZWNPX/l+SWEQutsTERxIHSpXl6/OLXsX b3N/4Z4HjnipFN66agDgT0zHwL69yFgx5xAOuHTJP7eoppeCH2Y+6fSjVpB2BIxt7B8+ ixIjgcWj2YTt/o8vTyCi+HmFs/w1nV38w8l8uVHNPKLGVGnBH+fm61TfB9TSqofyz/6k ge+DDn94GrSGGkpl0rL6DbmOHGPmEFccI2txwwKNqTbrWReTBNe4hWY1a+h0AK+K0NLL Jodw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=XQFBYGnZg0XEWFn8CSrqp3+QoiwOdJuLikT3CHYKNBo=; b=Fj5xWZrGWb/d+hUfC98VigDxQD0toqSQQFMg+Il0WGM8SdIvFQV8WkRFStNI8JSVkX KqZrWsv/86wJpWcwyNhkqUhXgULy039WgFevhz1HWIkO0Qb8zin+nhsQUGZOso1lyntX xsyzYq/ljSSErj4nQBRlnhXGt6zZ/r12rWaXJC9cNQSxG/iWBFRYW305LhhzVpuB7XKF QQF0B+Vv9TxBjOxKrHPRThMehi4mYamq95edCb6EYCuXOwOo5yI6G0x8R7HbUeMC6/iB lGlbd4x6x9QNlXi3IPSICrwhaPtlNGqGGblCrpAM8oXjzJ20t7PTQjX6G0r8QdkS4T8W XqGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=KaqBsNHa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 35si5277074ple.382.2019.04.22.06.51.51; Mon, 22 Apr 2019 06:52:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=KaqBsNHa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727924AbfDVNtT (ORCPT + 99 others); Mon, 22 Apr 2019 09:49:19 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:33137 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727343AbfDVNtS (ORCPT ); Mon, 22 Apr 2019 09:49:18 -0400 Received: by mail-lj1-f194.google.com with SMTP id f23so10390204ljc.0 for ; Mon, 22 Apr 2019 06:49:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XQFBYGnZg0XEWFn8CSrqp3+QoiwOdJuLikT3CHYKNBo=; b=KaqBsNHaf1fLNIyoAV4UgByrrjlXmfDPNTDRqyyDHApsk39c4Ef08efn45bhHmFu9w mjeWWOudfEkVDN0jASnuSyqIw/9MeuiHuyRjKBwlZIxLQzFhcx0NFauB8xotuVmWuk7R nTrSwvPjCOQO3+NbZRort0YJMNjpfI8pbhw6hlx4qTn5Et+KND0LKW8AJtWXkAqIQli3 WO5hC25IT8a1/CpuodGQvHLeNEdGWGGJDOmAJO6ZY7mJ6p317EJT5L+c/RPyeEg7C6G8 qStUSsUtRkQ0NtXQRmyUwTEmdceNtmJBWLevhuk7rbUTz5aLq6duXWiDfFemQzyYlvsF jtwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XQFBYGnZg0XEWFn8CSrqp3+QoiwOdJuLikT3CHYKNBo=; b=TuikLUbfB7iwwtZ2mxZ+nl6OZznFL6tRzOPOTFQ2+woh8Fu5BEntD5OReaqSI9hWWZ IGPA9J7cfp3ri0lR5gkko64/ILbH5rGuxn5du2pIGWQht/+v/f+6v1IYVp+vrXcwJ7XA eQ72ooJV3Qqx1fnBZT8H2TYduA+hppKyKW8zLqLxmhtrsyT+2R01HgnJVdmDPsozgrwt InqUzrmPgW6t3/kJCP5JjoRCeiJ17MHSHLTakIE9QshEvzJX8y+gcxIKWhtpQq5Stcs0 YYP87CYzbl3dsqMCmI1ncWurzbs87Zxuspil9dXgpSvlU7E1AaUApcXx9TsU3gTVV2VA nFTw== X-Gm-Message-State: APjAAAWQ4p3TAKK8UqKfnNmpCb06GQZ9tPKh5ABDCf9M+mtPLkR8bybx gIXrTRf/+zb7LGv8O10O7JKzQB3TF6LtJFJ5/GWC X-Received: by 2002:a2e:88c5:: with SMTP id a5mr10242632ljk.5.1555940956344; Mon, 22 Apr 2019 06:49:16 -0700 (PDT) MIME-Version: 1.0 References: <20190422113810.GA27747@hmswarspite.think-freely.org> In-Reply-To: <20190422113810.GA27747@hmswarspite.think-freely.org> From: Paul Moore Date: Mon, 22 Apr 2019 09:49:05 -0400 Message-ID: Subject: Re: [PATCH ghak90 V6 00/10] audit: implement container identifier To: Neil Horman Cc: Richard Guy Briggs , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 22, 2019 at 7:38 AM Neil Horman wrote: > On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote: > > Implement kernel audit container identifier. > > I'm sorry, I've lost track of this, where have we landed on it? Are we good for > inclusion? I haven't finished going through this latest revision, but unless Richard made any significant changes outside of the feedback from the v5 patchset I'm guessing we are "close". Based on discussions Richard and I had some time ago, I have always envisioned the plan as being get the kernel patchset, tests, docs ready (which Richard has been doing) and then run the actual implemented API by the userland container folks, e.g. cri-o/lxc/etc., to make sure the actual implementation is sane from their perspective. They've already seen the design, so I'm not expecting any real surprises here, but sometimes opinions change when they have actual code in front of them to play with and review. Beyond that, while the cri-o/lxc/etc. folks are looking it over, whatever additional testing we can do would be a big win. I'm thinking I'll pull it into a separate branch in the audit tree (audit/working-container ?) and include that in my secnext kernels that I build/test on a regular basis; this is also a handy way to keep it based against the current audit/next branch. If any changes are needed Richard can either chose to base those changes on audit/next or the separate audit container ID branch; that's up to him. I've done this with other big changes in other trees, e.g. SELinux, and it has worked well to get some extra testing in and keep the patchset "merge ready" while others outside the subsystem look things over. -- paul moore www.paul-moore.com