Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp776826ybi; Thu, 30 May 2019 06:37:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqwrNWEZ7pQHR6f3Y0vGafaF0+hzcif5yxq1K6FzSIy7gL0kUivEm4nKYNdqjc+D4tSQRJY9 X-Received: by 2002:a17:902:8c8c:: with SMTP id t12mr3690547plo.116.1559223451383; Thu, 30 May 2019 06:37:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559223451; cv=none; d=google.com; s=arc-20160816; b=H8f+tw0BPzZOEGGct4DPWrxVMs+T6i0WLzqQfykW5/cWSR2j50PIATM0YEv3z5kxef xIUo6QzqzTWis9xwuKH4eWyViLZhFPX8grWvTr34HUDioVvvHREEutlVfFvczU3vwD8d YKGSXgesPNkHx2ftYdksqYt9musZkQc5z/CZWmPJUYXX0ileiAbh+EhI4YlPsqdpDmke dhA1/NdXeSTAWpjl5i4nTVCTDXBnQtdN7JcCLIsXl/c4c7lS/RfeOyirYxZGzGjnx+TO noR1lT0Vuh1MCkvhw+m6f2JsZkX8YtJ819ynvaldKzUbG05xj36BAZs1tO/omKrbCBzv xbYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/U1f8Fc02eyDkuGsWIDz5srojNJJU/zoTrLNm2qEEYE=; b=vICzcqjX0dtPXX+w/pp+0IRVRSe0+DTPylWC67xnQtMgSR3PwWAbmW4U7rMjgcBagw VjB8mUhnrTNEl0SGDA9yMguOCQTFSb+hD72/omWQFkjrFiQ9mJnCma6o1GVtn+b6cNwt LPvhypXAFch8/4X5JKJgvaDIHhmsx7AsEjwHTqqI9ALKp99Uu1uiNty7/hrlepxO2Bsr HyLnc6ZLmv2gjWOblcLXwV38ftbLWBUBnuVtGmX67lwWse0tnk8nJl5r95dvmZd/KrD/ TNyYEwwbJGG7YgHAZE8CquOPF9SwC4ekuZskR/XKQWnQ0DxU9436GrrbP1Nd+IMTfawc wiGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=PcjCE05V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g29si3205546pgb.259.2019.05.30.06.37.13; Thu, 30 May 2019 06:37:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=PcjCE05V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727154AbfE3Nfv (ORCPT + 99 others); Thu, 30 May 2019 09:35:51 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:34982 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727021AbfE3Nfv (ORCPT ); Thu, 30 May 2019 09:35:51 -0400 Received: by mail-lj1-f195.google.com with SMTP id h11so6105491ljb.2 for ; Thu, 30 May 2019 06:35:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/U1f8Fc02eyDkuGsWIDz5srojNJJU/zoTrLNm2qEEYE=; b=PcjCE05Vr6571Z0FZcLJcqv+cvaAJeL7YpbARuQ2LSZIHBxhkDAdsF9jD7NhDOKngU 6X1SX5q77QkN9n3E19d4YHs9c0CtfyLSRuUuSdOXluMQYnqok+2LuhQnfV6Yvt5gokXc rv1Y97UwU29b5+KdfE/UeKLzGLNovyUXymuMuyGyAd1g6N0pG2/4sWOP2UBIUSzYLfHX V1r+bdOV/ByhYIvgWgk1An0M77FfT6aJutWDNqmHH2KjEzC70mCUzzpod9jb6FNa/AtR MEO9qpdFx+xNcpWYtV4mCZ49HXeovOfghdnPjt29AHlHiv/t+7uoYA1WS7kIwbDGPK1R tWhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/U1f8Fc02eyDkuGsWIDz5srojNJJU/zoTrLNm2qEEYE=; b=cbYulKVU0rd0uIWS+Vr6oSFJEpzwk7Y/J37+5Gj83h07wx9QysqrhR94rcNClkiV4p gLKZ7BCnR4JaloMHTkZC57khtMD0sFxy8dmWSfuTLUIOcJfhregIrw+fpAVur9QfM4mn lXNVaXanRUk7cAxOKDXafoQkVuwF3qnhLwL1otddl9u+nMhS2zoObjYqaCGmzCGR+xJR 6GFdXCsIuT0Urk9Qr/zfv6KnetDKCHlw37dgqqdJlaO9zZBQJDlKK3c/1EXltMot5FX3 0XR7gmmdW4isdhpxjKZAVe4OIXg0mmctc2M0Lf2VhOHkgCXZFJ6B/qw6PROf+fTIxgb9 FTcw== X-Gm-Message-State: APjAAAXHQRPR324X2Wdy6cXGB5uw/Hf0g30wpLfenFVcOOoNFUcG3ozd w9J06skzTJ51/YvJgeLjk4mIML0hr8wqfVV10shf X-Received: by 2002:a2e:3e14:: with SMTP id l20mr2252084lja.40.1559223348494; Thu, 30 May 2019 06:35:48 -0700 (PDT) MIME-Version: 1.0 References: <1674888.6UpDe63hFX@x2> In-Reply-To: <1674888.6UpDe63hFX@x2> From: Paul Moore Date: Thu, 30 May 2019 09:35:36 -0400 Message-ID: Subject: Re: [PATCH ghak90 V6 00/10] audit: implement container identifier To: Steve Grubb Cc: Richard Guy Briggs , containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, Neil Horman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 30, 2019 at 9:08 AM Steve Grubb wrote: > On Wednesday, May 29, 2019 6:26:12 PM EDT Paul Moore wrote: > > On Mon, Apr 22, 2019 at 9:49 AM Paul Moore wrote: > > > On Mon, Apr 22, 2019 at 7:38 AM Neil Horman > wrote: > > > > On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote: > > > > > Implement kernel audit container identifier. > > > > > > > > I'm sorry, I've lost track of this, where have we landed on it? Are we > > > > good for inclusion? > > > > > > I haven't finished going through this latest revision, but unless > > > Richard made any significant changes outside of the feedback from the > > > v5 patchset I'm guessing we are "close". > > > > > > Based on discussions Richard and I had some time ago, I have always > > > envisioned the plan as being get the kernel patchset, tests, docs > > > ready (which Richard has been doing) and then run the actual > > > implemented API by the userland container folks, e.g. cri-o/lxc/etc., > > > to make sure the actual implementation is sane from their perspective. > > > They've already seen the design, so I'm not expecting any real > > > surprises here, but sometimes opinions change when they have actual > > > code in front of them to play with and review. > > > > > > Beyond that, while the cri-o/lxc/etc. folks are looking it over, > > > whatever additional testing we can do would be a big win. I'm > > > thinking I'll pull it into a separate branch in the audit tree > > > (audit/working-container ?) and include that in my secnext kernels > > > that I build/test on a regular basis; this is also a handy way to keep > > > it based against the current audit/next branch. If any changes are > > > needed Richard can either chose to base those changes on audit/next or > > > the separate audit container ID branch; that's up to him. I've done > > > this with other big changes in other trees, e.g. SELinux, and it has > > > worked well to get some extra testing in and keep the patchset "merge > > > ready" while others outside the subsystem look things over. > > > > I just sent my feedback on the v6 patchset, and it's small: basically > > three patches with "one-liner" changes needed. > > > > Richard, it's your call on how you want to proceed from here. You can > > post a v7 incorporating the feedback, or since the tweaks are so > > minor, you can post fixup patches; the former being more > > comprehensive, the later being quicker to review and digest. > > Regardless of that, while we are waiting on a prototype from the > > container folks, I think it would be good to pull this into a working > > branch in the audit repo (as mentioned above), unless you would prefer > > to keep it as a patchset on the mailing list? > > Personally, I'd like to see this on a branch so that it's easier to build a > kernel locally for testing. FWIW, if Richard does prefer for me to pull it into a working branch I plan to include it in my secnext builds both to make it easier to test regularly and to make the changes available to people who don't want to build their own kernel. * http://www.paul-moore.com/blog/d/2019/04/kernel_secnext_repo.html -- paul moore www.paul-moore.com