Re: [PATCH] audit: do not panic on invalid boot parameter

On 2018-03-05 15:05, Greg Edwards wrote: > If you pass in an invalid audit boot parameter value, e.g. "audit=off", > the kernel panics very early in boot before the regular console is > initialized. Unless you have earlyprintk enabled, there is no > indication of what the problem is on the

Re: audit watch rules and docker containers

On Mon, 5 Mar 2018 03:06:44 + (UTC) Rakesh wrote: > Hi Steve, > Thanks for taking the time to look at it. I have been following the > conversation on adding container support to audit, however I am not > looking for container id in the event. I did some more tests and find

[PATCH] audit: do not panic on invalid boot parameter

If you pass in an invalid audit boot parameter value, e.g. "audit=off", the kernel panics very early in boot before the regular console is initialized. Unless you have earlyprintk enabled, there is no indication of what the problem is on the console. Convert the panic() calls to pr_err(), and

Re: audit watch rules and docker containers

Hi Richard, Thanks for reviewing the email and my apologies for the formatting issue. This response corrects that. I looked at Steve's response (with the embedded link) and have also followed your presentation on youtube however I am not clear on the proposed change(s) which will allow the

Re: [PATCH] audit: add containerid support for IMA-audit

On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote: > On 2018-03-05 08:43, Mimi Zohar wrote: > > Hi Richard, > > > > This patch has been compiled, but not runtime tested. > > Ok, great, thank you. I assume you are offering this patch to be > included in this patchset? Yes, thank you.

Re: [PATCH] audit: add containerid support for IMA-audit

On 2018-03-05 08:43, Mimi Zohar wrote: > Hi Richard, > > This patch has been compiled, but not runtime tested. Ok, great, thank you. I assume you are offering this patch to be included in this patchset? I'll have a look to see where it fits in the IMA record. It might be better if it were an

[PATCH] audit: add containerid support for IMA-audit

Hi Richard, This patch has been compiled, but not runtime tested. --- If the containerid is defined, include it in the IMA-audit record. Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_api.c | 3 +++ 1 file changed, 3 insertions(+) diff --git

Re: [RFC PATCH V1 00/12] audit: implement container id

On Sun, 2018-03-04 at 22:31 -0500, Richard Guy Briggs wrote: > On 2018-03-04 16:55, Mimi Zohar wrote: > > On Thu, 2018-03-01 at 14:41 -0500, Richard Guy Briggs wrote: > > > Implement audit kernel container ID. > > > > > > This patchset is a preliminary RFC based on the proposal document (V3) > >

Re: [RFC PATCH V1 01/12] audit: add container id

On 2018-03-04 10:01, Paul Moore wrote: > On Sat, Mar 3, 2018 at 4:19 AM, Serge E. Hallyn wrote: > > On Thu, Mar 01, 2018 at 02:41:04PM -0500, Richard Guy Briggs wrote: > > ... > >> +static inline bool audit_containerid_set(struct task_struct *tsk) > > > > Hi Richard, > > > > the

[RFC PATCH] auditctl: add support for containerid filter

A u64 container identifier has been added to the kernel view of tasks. This allows container orchestrators to label tasks with a unique tamperproof identifier that gets inherited by its children to be able to track the provenance of actions by a container. Add support to libaudit and auditctl for