Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1004363ybv;
        Thu, 13 Feb 2020 13:49:15 -0800 (PST)
X-Google-Smtp-Source: APXvYqya3v2BMaskT29KhTyDjGkC0XYsatyZVsevRaISU53vURMO4J5lc97efTHiYsOM+99cBtoW
X-Received: by 2002:aca:d954:: with SMTP id q81mr4394858oig.157.1581630555797;
        Thu, 13 Feb 2020 13:49:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581630555; cv=none;
        d=google.com; s=arc-20160816;
        b=NO4xk+qvzcJY0zg9P6wLWh7ylry3FnS+MZANhUJIeaW420ELMFhJCwaG7yRKOgz/+3
         5OFGFyrArEbzmC9r4RcVqDvgghmQT1VDSKx/xYDF5kYg3z4iiO5uSb95vm2WYbBJtBKZ
         HiammnBmaPQPG7iIc10n9Eg1fBtUQPEVNYhDFanEQErPmsjSKlAsRO/JPMANKveFPW5b
         aQAtZaXVRYMPtuBl1Y5Zn+hC884z0xmtHxTN/hXO/OhNf/ENhiXGzLXacdULcXSHN4vO
         XROUvb3tC9dGeAa5rQcaLWmICyV0f1SYz1D143VPtF+mXkZc+tfN9dARjrDDeyyK9n2p
         tqdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=d6iMkJnmuaDOT/nQ8QyRCzJW1DxHpPU5cNxqRI+5goo=;
        b=eD5gMxfINTWD5NJncKZf6ohgAGLVd3NjUD+9cISPtyumzInTBwMOmz/sMTMw7g5e8+
         dH4TbgRA0UpwOp/MU4J8m7u3yWTXKNSgA23yeiNBUgoRntiTyfAWjtxual/OZ1eawRrm
         2qdv5sp/KKWQOrPtxKmwPCNqsx/z4j1zCocsqHxwt5QNztrDrtqxz6t9aDkjJL2Ds5NV
         YbFtxlON7YGqCsYr5nusXbmIYlbrFCB0suSaVava/Xib6Rp0K5zvhh3vhrOkB5nFuqN2
         nEv6oCoxxZ4KI0eJcZMvBri+E5CghrSY2UFWVbmGS7Yhunu2t0UOoby5ysyQ8sVM7in4
         eK1w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=PIw7E5FK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h7si1650468otm.165.2020.02.13.13.49.03;
        Thu, 13 Feb 2020 13:49:15 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=PIw7E5FK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728287AbgBMVoo (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Thu, 13 Feb 2020 16:44:44 -0500
Received: from mail-ed1-f67.google.com ([209.85.208.67]:38735 "EHLO
        mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728168AbgBMVoo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Feb 2020 16:44:44 -0500
Received: by mail-ed1-f67.google.com with SMTP id p23so8680780edr.5
        for <linux-kernel@vger.kernel.org>; Thu, 13 Feb 2020 13:44:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=d6iMkJnmuaDOT/nQ8QyRCzJW1DxHpPU5cNxqRI+5goo=;
        b=PIw7E5FK5uMGQSQO8wbpPUp6f5T9D17OUGexKYbXdtUQttg7lkFcb7ZrY7zxqkJuF7
         IUDTTxfFWuajXiDFDWQXvBELPs2+KOoqds7y/MldWSq0di1ROQs14wpIC16aAbnzux9Y
         qTBvzLrg6gTeYg5Wb+/fgQXuupbE2u9OV73zEr2tujxtHYiZ2igPBO+L0RiCnuBbY33H
         JTGxZFfAlWsYu5+0uaqBK6gTlPgjcJoCWGD1613byRZSuN+WJYaIWoSr865H09zNQXZ4
         iJ2yQcaJmzck0TPBQtlzrJJ61lJ/sdUV7Mkch0Em0zgoL4IjpU8MKonw+E3A6AI+Grt1
         Ly8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=d6iMkJnmuaDOT/nQ8QyRCzJW1DxHpPU5cNxqRI+5goo=;
        b=ncpSIit2583gO2tzX33JvMpia3tJj6pZJivyolrzvbvWg0no+cbLmLgf3AJ67+NhJm
         28dNQG7gbmTYhJ8u3CCCyxUO6Y3RX1NHIL8ukX9Mnv5xT5LECG3JWHRX7G2dCGJn354m
         wYeXOnGbTBFtnYrroL2SOUKX1cZ6z9oZTq4C+uvlF/bI1K0UeUcAj8Bdazaw8aRhCE8n
         uKJjBzl3PVyyn0Vcs2f/T69zCaK28lv5FGIdT2UuL+RWckuoaFD/0emZUY/1Uq/htZ0K
         EblV9Z1SjX2535wguiJw1vtLa5PeIwwRHJSABlHzU6XiZIJBMh3L5qewnJjI3ElNhuml
         QNrQ==
X-Gm-Message-State: APjAAAWAn4J08KMd+G0fE7s9kpUOWpDxzyi3AXkKH3k2r0s/a/QDSlVU
        mwePt1PsqPkf/20OqsEKGou3ZFOSMwQ8yGWdBqSM
X-Received: by 2002:aa7:db55:: with SMTP id n21mr16664962edt.31.1581630280853;
 Thu, 13 Feb 2020 13:44:40 -0800 (PST)
MIME-Version: 1.0
References: <cover.1577736799.git.rgb@redhat.com> <20200204231454.oxa7pyvuxbj466fj@madcap2.tricolour.ca>
 <CAHC9VhQquokw+7UOU=G0SsD35UdgmfysVKCGCE87JVaoTkbisg@mail.gmail.com>
 <3142237.YMNxv0uec1@x2> <CAHC9VhTiCHQbp2SwK0Xb1QgpUZxOQ26JKKPsVGT0ZvMqx28oPQ@mail.gmail.com>
In-Reply-To: <CAHC9VhTiCHQbp2SwK0Xb1QgpUZxOQ26JKKPsVGT0ZvMqx28oPQ@mail.gmail.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Thu, 13 Feb 2020 16:44:29 -0500
Message-ID: <CAHC9VhS09b_fM19tn7pHZzxfyxcHnK+PJx80Z9Z1hn8-==4oLA@mail.gmail.com>
Subject: Re: [PATCH ghak90 V8 07/16] audit: add contid support for signalling
 the audit daemon
To:     Steve Grubb <sgrubb@redhat.com>
Cc:     linux-audit@redhat.com, Richard Guy Briggs <rgb@redhat.com>,
        nhorman@tuxdriver.com, linux-api@vger.kernel.org,
        containers@lists.linux-foundation.org,
        LKML <linux-kernel@vger.kernel.org>, dhowells@redhat.com,
        netfilter-devel@vger.kernel.org, ebiederm@xmission.com,
        simo@redhat.com, netdev@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, Eric Paris <eparis@parisplace.org>,
        mpatel@redhat.com, Serge Hallyn <serge@hallyn.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is a bit of a thread-hijack, and for that I apologize, but
another thought crossed my mind while thinking about this issue
further ... Once we support multiple auditd instances, including the
necessary record routing and duplication/multiple-sends (the host
always sees *everything*), we will likely need to find a way to "trim"
the audit container ID (ACID) lists we send in the records.  The
auditd instance running on the host/initns will always see everything,
so it will want the full container ACID list; however an auditd
instance running inside a container really should only see the ACIDs
of any child containers.

For example, imagine a system where the host has containers 1 and 2,
each running an auditd instance.  Inside container 1 there are
containers A and B.  Inside container 2 there are containers Y and Z.
If an audit event is generated in container Z, I would expect the
host's auditd to see a ACID list of "1,Z" but container 1's auditd
should only see an ACID list of "Z".  The auditd running in container
2 should not see the record at all (that will be relatively
straightforward).  Does that make sense?  Do we have the record
formats properly designed to handle this without too much problem (I'm
not entirely sure we do)?

-- 
paul moore
www.paul-moore.com