Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5568187ybi; Tue, 28 May 2019 15:29:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqwwOzxHheos4XiD8tHYBg49evpM+V3HDurIFHcpaRTcYAHMMDMFhSxlHghBVIw4u91VVfeR X-Received: by 2002:a17:90a:b00b:: with SMTP id x11mr8546573pjq.61.1559082599714; Tue, 28 May 2019 15:29:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559082599; cv=none; d=google.com; s=arc-20160816; b=toOEPcRLNoTqWccyXFzeKefuaTEwBsqSVUObse6pPqxX8qX7JLLCNCBQmh1Yzp+c2m WqHGibNFvBwMEHhKDShPG67Xm6JMWFqH7X/gqHJNq7vW8pNrlBqhv2RjEXoQeGrDzOzp VUxO3ioIStfDVf4ONGt+7RsMsKq8qeNUFV4YZgfyJe/RBWpGH8/hXDNUEXtOKbJcbrkz ta6M6Qn6A9StQM9lNUeg5dUUPsXWJH8GNYOoZOtm9kQv/KQ7PPf2xyTO/zb//btPD/Tr bkV7xipKwfBV1Xgo5gJoR0xELRa+ZRKrp6iM7QAMTBCgUfQdzKjSNYIXX4pKCcEUjusS n0oQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ktt9gYykDzHpqn8jF4Qn7x/F6J4TOsbrfkkqyFVpV5w=; b=lw68/YT44MlHt7qaRn9cU0eLu6fBYJk7T1ySEsGl0b6qNt54FbGKE5/tcfQSevwhkq L1qRbi/+Ka3y5Rrk3YXJQ3okNhXi5kThrHnvauRi2I8csDNDFUlzJCQLnCrbo9FhtUDi M9O+TUfe9OzhzYKg0dsp9tDUb+YmZHSL7zSV7puyP+6In8VvOM60eTFEEfY9udfe9X/d M3wtrB7vuoxPulPZvtPyJjxxCXLpmhEqIcSRChUbfszxJYiCGuHCTaxJJ6+DNRXZiZyn sp9saAjYXDtGiAnXwcc6FOFbkwrIdn4mhhDE86/rTmewWevmVsQJn3LQqqSWBikKg+5/ ldlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=n+HTPMYY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 199si14355162pfb.252.2019.05.28.15.29.43; Tue, 28 May 2019 15:29:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=n+HTPMYY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727147AbfE1W1B (ORCPT + 99 others); Tue, 28 May 2019 18:27:01 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:39317 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726614AbfE1W1A (ORCPT ); Tue, 28 May 2019 18:27:00 -0400 Received: by mail-lj1-f194.google.com with SMTP id a10so447699ljf.6 for ; Tue, 28 May 2019 15:26:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ktt9gYykDzHpqn8jF4Qn7x/F6J4TOsbrfkkqyFVpV5w=; b=n+HTPMYY03EsfqfMQMiANp2md/hDS/jlVuamukt0nOAU7xPknfYtDemk0kZgZuFTHv bRRyBB/UYNm0BKOmBOfzzowydINpzWcs+zehMLezF9i+fjo7UBomNhnCVNZY0EjYJ+5y LmKd1wAWg/jiTQEzLus3rLiA0eqqVE5BX5YSZA2T3ue0t+KGYzatINIK83DcRmdhPCJD VYpI6oVq4rK33VxUzojZ7YDWOJpYL64PE5qMqe7J+W/bnibjK9Pf7iJOmD0adHosNm20 IPQPZcunlCxBbtuQ16uU5TccmfLXarLNDZojREYCYpTIyI/q+PK5X7zIKyD4V82AbhxR 4d5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ktt9gYykDzHpqn8jF4Qn7x/F6J4TOsbrfkkqyFVpV5w=; b=GWH2QqAtJzb2Kb02nP9zxiVzuQlvadEhkn9rnm8bIuR9Ta8yOfXr6CsxDJCkNg7ZA2 TGK5mt27aGtADj4U6s9oU5+jmn3Md/blUPdPdsEicPOCyxudFYkiJToWrL83TROD7Y1a Be8OYc4y15WPIXFzwzQS/w2q8FA6jb5UqsFipyCjbUvdKHQPXeByrSDbjaSgomLlS/uL bGXVTVja5HBBCA0ToCZy5w17S1Idmv7MT+cx8jG1wQewRj7LQQREr9HRbuv2ZSpqopaR 7SRxqazl1yvBe2SOg5CS9WlBaO5XgRTQVmjx12pNUxPdGahxKMoOPsRnwyVR27LDmH1K fsUA== X-Gm-Message-State: APjAAAVB9qZwGtPGFbso8Q2+kXG9Tyzy5cIwM6m27R5Yz23baNBsxRtK 8AbzE6NUeN/m4Drwraw1sDgxbLSIk8fTphhv/PNv X-Received: by 2002:a2e:9106:: with SMTP id m6mr425785ljg.164.1559082418552; Tue, 28 May 2019 15:26:58 -0700 (PDT) MIME-Version: 1.0 References: <20190422113810.GA27747@hmswarspite.think-freely.org> <509ea6b0-1ac8-b809-98c2-37c34dd98ca3@redhat.com> In-Reply-To: <509ea6b0-1ac8-b809-98c2-37c34dd98ca3@redhat.com> From: Paul Moore Date: Tue, 28 May 2019 18:26:47 -0400 Message-ID: Subject: Re: [PATCH ghak90 V6 00/10] audit: implement container identifier To: Dan Walsh Cc: Neil Horman , Richard Guy Briggs , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, Mrunal Patel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 28, 2019 at 5:54 PM Daniel Walsh wrote: > > On 4/22/19 9:49 AM, Paul Moore wrote: > > On Mon, Apr 22, 2019 at 7:38 AM Neil Horman wrote: > >> On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote: > >>> Implement kernel audit container identifier. > >> I'm sorry, I've lost track of this, where have we landed on it? Are we good for > >> inclusion? > > I haven't finished going through this latest revision, but unless > > Richard made any significant changes outside of the feedback from the > > v5 patchset I'm guessing we are "close". > > > > Based on discussions Richard and I had some time ago, I have always > > envisioned the plan as being get the kernel patchset, tests, docs > > ready (which Richard has been doing) and then run the actual > > implemented API by the userland container folks, e.g. cri-o/lxc/etc., > > to make sure the actual implementation is sane from their perspective. > > They've already seen the design, so I'm not expecting any real > > surprises here, but sometimes opinions change when they have actual > > code in front of them to play with and review. > > > > Beyond that, while the cri-o/lxc/etc. folks are looking it over, > > whatever additional testing we can do would be a big win. I'm > > thinking I'll pull it into a separate branch in the audit tree > > (audit/working-container ?) and include that in my secnext kernels > > that I build/test on a regular basis; this is also a handy way to keep > > it based against the current audit/next branch. If any changes are > > needed Richard can either chose to base those changes on audit/next or > > the separate audit container ID branch; that's up to him. I've done > > this with other big changes in other trees, e.g. SELinux, and it has > > worked well to get some extra testing in and keep the patchset "merge > > ready" while others outside the subsystem look things over. > > > Mrunal Patel (maintainer of CRI-O) and I have reviewed the API, and > believe this is something we can work on in the container runtimes team > to implement the container auditing code in CRI-O and Podman. Thanks Dan. If I pulled this into a branch and built you some test kernels to play with, any idea how long it might take to get a proof of concept working on the cri-o side? FWIW, I've also reached out to some of the LXC folks I know to get their take on the API. I think if we can get two different container runtimes to give the API a thumbs-up then I think we are in good shape with respect to the userspace interface. I just finished looking over the last of the pending audit kernel patches that were queued waiting for the merge window to open so this is next on my list to look at. I plan to start doing that tonight/tomorrow, and as long as the changes between v5/v6 are not that big, it shouldn't take too long. -- paul moore www.paul-moore.com