Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp6909179ybi; Wed, 29 May 2019 15:27:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqzoMCX+uQPhOOZXpmpI3hfuL9VBEhEwH3stNPdLZIAoxOZ/QOqZi5TMA4ynkIP4HIVkYRIV X-Received: by 2002:a17:90a:372e:: with SMTP id u43mr34910pjb.5.1559168879421; Wed, 29 May 2019 15:27:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559168879; cv=none; d=google.com; s=arc-20160816; b=DIy/BnwVu6pxnVHtF/4kWMbpkFyEz/SYIZPNXWUAsCiZf/ofDcs09VwpIXfUP2o/JK iWmrj3wrW93Wu3ytr8/2/l1jbYkdqbB/gWyWe7n3GyxZDMutHtRo6V6ZblR1fvvhw071 s97oNTkxG17NOhxgA7I5EGW07fZO2O684hZduPXec9czQUgCqThT6Zm5vXUAi5Cl7nFX BL+HlUw64FZDzXKngdBay12mvCDtTLnVW6Q+U9csTstCD5TuZZeeHqQa3Oy1cAJkN8pH FHrKRT6ZqvRt8anXRJtTYjW2bHwuiB9jJeXGtn4d3DIY9O1v+SMPJwt16eVBYwBzkgZw AUMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=t49dJmETs8La1f+MwRhpaeRXNs8pwfNjtCbfGrPUmGI=; b=ZuCOM0X5OIFeXySua6ssodCQyRjoUBRA7tQSI0TRHjOXmUu9kSylsT1kDwqut2YAZA 81Z9iJ//0MNkIsahcCOY6RkK+UPAu/Ad001tRvA8VHcRCwx40giMOVEtlhxl+apVaVUL hoVHtnzpsvTNQo58Js+gRBHcB7Nu8WsUU9SUuZCYlgDHc0qnZLkdjPp8oIguXS3nwvzF pEQ7KM5miSUXPE4D2/sutYBfLcmjZncLiBeoN3XreUKvg7iNMNwwGUDElikpzqbnr7hs ezLhuPGSFmy3YzPjR5UXloLwHL0j4kH/JFbk293OAfyEVLKTgTOr5AyFZT3bigsCbcce OkzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Ro1lwjJV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b1si983408pls.93.2019.05.29.15.27.43; Wed, 29 May 2019 15:27:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Ro1lwjJV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726689AbfE2W00 (ORCPT + 99 others); Wed, 29 May 2019 18:26:26 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:44505 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726018AbfE2W0Z (ORCPT ); Wed, 29 May 2019 18:26:25 -0400 Received: by mail-lj1-f193.google.com with SMTP id e13so4073995ljl.11 for ; Wed, 29 May 2019 15:26:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=t49dJmETs8La1f+MwRhpaeRXNs8pwfNjtCbfGrPUmGI=; b=Ro1lwjJVVG+qfv2hVkkiiCmqyVjNxXb0ZoITXQy+P1f2GZdZ9qhO4d3e/bDxnsB4zf VG6lk1pc3YIXT+6MuBmXXRlQuiBjsm+UOieluWIzA1MVSrAXdvoECvq7uk6Ub9GjZF0B tVGRBNgcuJHEDdGzb+K4IrF0euqoyMFEdmTrJ2Q1yuusoIvJmvk9lwEm+0zz5SIuXOku jMMynjoocJl0WscdyzinFI3DjKPXAUNduIc5aIEfzMKre4ttNj5pz1w0j7LuWT9yXexH bwP0U65ZujtqZ8lmY/Xslf1D4oCvvWTWj42wkFXwRNsxqua0u6w+SRvpcMroFwi3QrQa JRjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=t49dJmETs8La1f+MwRhpaeRXNs8pwfNjtCbfGrPUmGI=; b=EoqJNkKZ1mC+bf0+IzXaDd0iaQDeIvPp5ZWMOm0w+TIgYbYUXwZjrwOM5huNNKuBHY HWDxuIEsA+/DrtY5eZKlfCVq6DoARDpden7/PP9ZTS4ZvQk3UlEdemr2JBMH6PtSbgqE 9xKfYdDXV3rHeT+1ltrIvUZg9Cpux0Ej2o3ULEhEXMBasWoBLQaz1hgUvAO5eFwX0R3k LLsWrn2wN0SZz/jpf+vjXnfzC0vdOjLekQWISoF8ti187GPSVXlIoaV6/TeBy2fnH6fm 7YnHglwl6Jd7a6krJkxrMSyYp+8F5bCypPbS2hFsGchKWhbVFek2cLk1Xq9gzhc7lXFx VXbA== X-Gm-Message-State: APjAAAW/QCwdC98X8a3uIL457+gIVdj70S2B4MhKT4JF7XsbPwrWKy9J 3Ica9pqkRRkejiGqS66BKg3o9nm5KGz2TuXBvxtX X-Received: by 2002:a2e:9106:: with SMTP id m6mr145593ljg.164.1559168783453; Wed, 29 May 2019 15:26:23 -0700 (PDT) MIME-Version: 1.0 References: <20190422113810.GA27747@hmswarspite.think-freely.org> In-Reply-To: From: Paul Moore Date: Wed, 29 May 2019 18:26:12 -0400 Message-ID: Subject: Re: [PATCH ghak90 V6 00/10] audit: implement container identifier To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, Neil Horman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 22, 2019 at 9:49 AM Paul Moore wrote: > On Mon, Apr 22, 2019 at 7:38 AM Neil Horman wrote: > > On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote: > > > Implement kernel audit container identifier. > > > > I'm sorry, I've lost track of this, where have we landed on it? Are we good for > > inclusion? > > I haven't finished going through this latest revision, but unless > Richard made any significant changes outside of the feedback from the > v5 patchset I'm guessing we are "close". > > Based on discussions Richard and I had some time ago, I have always > envisioned the plan as being get the kernel patchset, tests, docs > ready (which Richard has been doing) and then run the actual > implemented API by the userland container folks, e.g. cri-o/lxc/etc., > to make sure the actual implementation is sane from their perspective. > They've already seen the design, so I'm not expecting any real > surprises here, but sometimes opinions change when they have actual > code in front of them to play with and review. > > Beyond that, while the cri-o/lxc/etc. folks are looking it over, > whatever additional testing we can do would be a big win. I'm > thinking I'll pull it into a separate branch in the audit tree > (audit/working-container ?) and include that in my secnext kernels > that I build/test on a regular basis; this is also a handy way to keep > it based against the current audit/next branch. If any changes are > needed Richard can either chose to base those changes on audit/next or > the separate audit container ID branch; that's up to him. I've done > this with other big changes in other trees, e.g. SELinux, and it has > worked well to get some extra testing in and keep the patchset "merge > ready" while others outside the subsystem look things over. I just sent my feedback on the v6 patchset, and it's small: basically three patches with "one-liner" changes needed. Richard, it's your call on how you want to proceed from here. You can post a v7 incorporating the feedback, or since the tweaks are so minor, you can post fixup patches; the former being more comprehensive, the later being quicker to review and digest. Regardless of that, while we are waiting on a prototype from the container folks, I think it would be good to pull this into a working branch in the audit repo (as mentioned above), unless you would prefer to keep it as a patchset on the mailing list? If you want to go with the working branch approach, I'll keep the branch fresh and (re)based against audit/next and if we notice any problems you can just submit fixes against that branch (depending on the issue they can be fixup patches, or proper patches). My hope is that this will enable the process to move quicker as we get near the finish line. -- paul moore www.paul-moore.com