Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp5735528ybg; Tue, 22 Oct 2019 07:38:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqxN7A3PSWBsQiw982c+FvfP0ynF1w6Ln9ZMFidQ77q3z3Z6d1qIyRQP0yLzQeSmRy80FRnX X-Received: by 2002:a17:906:2584:: with SMTP id m4mr28285622ejb.287.1571755133263; Tue, 22 Oct 2019 07:38:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571755133; cv=none; d=google.com; s=arc-20160816; b=dXCx7vDwHLJMLh7cN+YlW6cEti0pNNBpFak3G+Foa3rJ3xWhJBgapn6Le5apEcyY1Z j2UT1BYs9f3njCs+u3tg+rULz6++lfIxoQaM9P3gbBgGNsu6yREi8OV+PQwtKIn004h4 x7w/lp3UjT8VcxWidGibzFuSlBDROcpX9QwuajX8pSxcqiuw6Jwp8Q3JstsxrrLASNag zP6lVp2tthPCwZKBRxoWuNebkcdYS1m8t9SoKNkrP7GZkiK1CScevfCZ2wOjb3nrVASx MKMxxw8jk8LU7wo8lo3PLXzWHWpFyvDTACJS2wKoUVXymiEzgtcc+xCALY2CWMMTiP9z 8g6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=BYDYFcrmZnPsA3wNhTxT7xGFYYOAAOh9Vy6atnzjLi0=; b=bzum9T/JKD03Jc3JfCyTaEXRuaerMDNRArdR5I9YcoryXpMgsZVlrT1GY9I3Qdkq4W xI2k6uJ0kGCc164W5hkH6uDDWJ2B4+H6roMTO+2tOTl7WNoICMhpHfRs4g7QStY+TzWO GlO0k6D2gjMrX48+RQS7lzTultYu+aORV8zTI0lmWJIy6THS245L72FT6BAzNMa3Z8hx Em0lz+YQUIQ5U0yWxXji7ofEEZm/qBAY00/rmA/RbINc1wEUpj+RLy+ywF0U6eppmYJL wMSxHKv3MHO4IKDMSoL9njDXaX2SqZ8G4DEq+z1Vasxzgrg1jQlv51UAaPX6C+YJHlKx QYKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=waU2hphe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p5si4901775ejx.100.2019.10.22.07.38.28; Tue, 22 Oct 2019 07:38:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=waU2hphe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731739AbfJVOfH (ORCPT + 99 others); Tue, 22 Oct 2019 10:35:07 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:34851 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727610AbfJVOfH (ORCPT ); Tue, 22 Oct 2019 10:35:07 -0400 Received: by mail-lj1-f194.google.com with SMTP id m7so17482272lji.2 for ; Tue, 22 Oct 2019 07:35:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BYDYFcrmZnPsA3wNhTxT7xGFYYOAAOh9Vy6atnzjLi0=; b=waU2hpheX/TrBzV4vEgbgCSQZavQHRKBJyf3We9Oa6EO8pqIzKn/x0RR8yVxAJtXif o5wV6xEZj6OmkN+gsNlUIE3SlrYWpP6FnQR91Mkel7Yc31DCKJCqxLVac9zBJWfrqAig AnSHfrBGwdsobSt4I2ex8H13Pw5VSILZpZP+0W9/3gOphmAg2NFATMuQ5R5i0fTwxMHa mhvxoAYbxgHGF854kilNFHJ9Ees7EW7wGZpA08bLcn+TV5//6T+8yvwOpxDYnmTocS9P uzp8bmCNZ414ELtk0X90GazUNbo+1P3jEAIUYD/1uT+dLLXF/88QLkWvgCN4cSI9DcT+ xtYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BYDYFcrmZnPsA3wNhTxT7xGFYYOAAOh9Vy6atnzjLi0=; b=GxKCRKRpk8iyFKB1ml9Th2EzWi0yMzMuX4nJ8enkDouyA9QNQKZNMxNzoHoSRRe8R8 d7tFh6WuSGHrnfNvKcmZBnKYBrK7aGOysOZRERZYlK5XZX7qc1b8Gidr+xGlItuoAlQV mCjfd0Mc1wOuz3Nrib+t8WenV8e/VIcY+l2U8WZ2GJ+TrYJaYPa0g9p7ZYK07/znlgU1 wz7Lqnwz7HHoh+70Ot8+6qsMbJVsCya9zYSqD0O7HdwNhSWXpiEoaD2iVlo03mToTCXz kGzT9lHLb7CwtCiO4uYoWrNdtxWWn1r5GNWKeCgjrG5MFPKGlDo+HqQbBfccRDPd4cQP jgEw== X-Gm-Message-State: APjAAAWWhZrnfjS24Xw9i6bp0Qm6JVY6CtF2NMKfJPb20TqiTkwgkByH LLaPlqy2Rv+lYoKEF7I4U7AxDztabSqaOXOPYn7S X-Received: by 2002:a2e:3505:: with SMTP id z5mr11579413ljz.126.1571754905226; Tue, 22 Oct 2019 07:35:05 -0700 (PDT) MIME-Version: 1.0 References: <214163d11a75126f610bcedfad67a4d89575dc77.1568834525.git.rgb@redhat.com> <20191019013904.uevmrzbmztsbhpnh@madcap2.tricolour.ca> <20191021213824.6zti5ndxu7sqs772@madcap2.tricolour.ca> <20191021235734.mgcjotdqoe73e4ha@madcap2.tricolour.ca> <20191022142716.sgxcmc27w4uaqh3u@madcap2.tricolour.ca> In-Reply-To: <20191022142716.sgxcmc27w4uaqh3u@madcap2.tricolour.ca> From: Paul Moore Date: Tue, 22 Oct 2019 10:34:54 -0400 Message-ID: Subject: Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns To: Richard Guy Briggs Cc: containers@lists.linux-foundation.org, linux-api@vger.kernel.org, Linux-Audit Mailing List , linux-fsdevel@vger.kernel.org, LKML , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, dhowells@redhat.com, simo@redhat.com, Eric Paris , Serge Hallyn , ebiederm@xmission.com, nhorman@tuxdriver.com, Dan Walsh , mpatel@redhat.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 22, 2019 at 10:27 AM Richard Guy Briggs wrote: > I'd like your perspective on how the capcontid feature was implemented > (aside from the proc/netlink api issue which was intended to be > consistent across loginuid/sessionid/contid/capcontid). Do you see this > feature as potentially solving the nested container issue in child user > namespaces? The patchset is a bit messy at this point in the stack due to the "fixup!" confusion and a few other things which I already mentioned so I don't really want to comment too much on that until I can see everything in a reasonable patch stack. Let's leave that for the next draft. -- paul moore www.paul-moore.com