Re: RFC: Audit Kernel Container IDs

2017-09-18 Thread Richard Guy Briggs
On 2017-09-18 21:45, Eric W. Biederman wrote: > Richard Guy Briggs writes: > > > On 2017-09-14 12:33, Eric W. Biederman wrote: > >> Richard Guy Briggs writes: > >> > >> > The trigger is a pseudo filesystem (proc, since PID tree already exists) > >> > write of

Re: RFC: Audit Kernel Container IDs

2017-09-18 Thread Eric W. Biederman
Richard Guy Briggs writes: > On 2017-09-14 12:33, Eric W. Biederman wrote: >> Richard Guy Briggs writes: >> >> > The trigger is a pseudo filesystem (proc, since PID tree already exists) >> > write of a u64 representing the container ID to a file representing a

Re: RFC: Audit Kernel Container IDs

2017-09-15 Thread Richard Guy Briggs
On 2017-09-14 01:30, Richard Guy Briggs wrote: > On 2017-09-13 14:33, Carlos O'Donell wrote: > > On 09/13/2017 12:13 PM, Richard Guy Briggs wrote: > > > Containers are a userspace concept. The kernel knows nothing of them. > > > > I am looking at this RFC from a userspace perspective,

Re: RFC: Audit Kernel Container IDs

2017-09-14 Thread Richard Guy Briggs
On 2017-09-14 12:33, Eric W. Biederman wrote: > Richard Guy Briggs writes: > > > The trigger is a pseudo filesystem (proc, since PID tree already exists) > > write of a u64 representing the container ID to a file representing a > > process that will become the first process in a

Re: RFC: Audit Kernel Container IDs

2017-09-14 Thread Eric W. Biederman
Richard Guy Briggs writes: > The trigger is a pseudo filesystem (proc, since PID tree already exists) > write of a u64 representing the container ID to a file representing a > process that will become the first process in a new container. > This might place restrictions on mount

Re: RFC: Audit Kernel Container IDs

2017-09-13 Thread Richard Guy Briggs
On 2017-09-13 14:33, Carlos O'Donell wrote: > On 09/13/2017 12:13 PM, Richard Guy Briggs wrote: > > Containers are a userspace concept. The kernel knows nothing of them. > > I am looking at this RFC from a userspace perspective, particularly from > the loader's point of view and the unshare

Re: RFC: Audit Kernel Container IDs

2017-09-13 Thread Carlos O'Donell
On 09/13/2017 12:13 PM, Richard Guy Briggs wrote: > Containers are a userspace concept. The kernel knows nothing of them. I am looking at this RFC from a userspace perspective, particularly from the loader's point of view and the unshare syscall and the semantics that arise from the use of it.

RFC: Audit Kernel Container IDs

2017-09-13 Thread Richard Guy Briggs
Containers are a userspace concept. The kernel knows nothing of them. The Linux audit system needs a way to be able to track the container provenance of events and actions. Audit needs the kernel's help to do this. Since the concept of a container is entirely a userspace concept, a trigger