From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: Steve Grubb <sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
Cc: mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Simo Sorce <simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Linux Kernel
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux FS Devel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Eric Paris <eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org>,
Linux Network Development
<netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Tue, 17 Oct 2017 10:57:43 -0700 [thread overview]
Message-ID: <1508263063.3129.35.camel@HansenPartnership.com> (raw)
In-Reply-To: <1982291.vr6V9CPzqu@x2>
On Tue, 2017-10-17 at 13:15 -0400, Steve Grubb wrote:
> On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote:
> >
> > >
> > > The idea is that processes spawned into a container would be
> > > labelled by the container orchestration system. It's unclear
> > > what should happen to processes using nsenter after the fact, but
> > > policy for that should be up to the orchestration system.
> >
> > I'm fine with that. The user space policy can be anything y'all
> > like.
>
> I think there should be a login event.
I thought you wanted this for containers? Container creation doesn't
have login events. In an unprivileged orchestration system it may be
hard to synthetically manufacture them.
James
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
WARNING: multiple messages have this Message-ID (diff)
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Steve Grubb <sgrubb@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: mszeredi@redhat.com, David Howells <dhowells@redhat.com>,
Andy Lutomirski <luto@kernel.org>,
jlayton@redhat.com, Carlos O'Donell <carlos@redhat.com>,
Linux API <linux-api@vger.kernel.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Linux Kernel <linux-kernel@vger.kernel.org>,
Eric Paris <eparis@parisplace.org>,
linux-audit@redhat.com,
"Eric W. Biederman" <ebiederm@xmission.com>,
Simo Sorce <simo@redhat.com>,
cgroups@vger.kernel.org,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
trondmy@primarydata.com,
Linux Network Development <netdev@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: RFC(v2): Audit Kernel Container IDs
Date: Tue, 17 Oct 2017 10:57:43 -0700 [thread overview]
Message-ID: <1508263063.3129.35.camel@HansenPartnership.com> (raw)
In-Reply-To: <1982291.vr6V9CPzqu@x2>
On Tue, 2017-10-17 at 13:15 -0400, Steve Grubb wrote:
> On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote:
> >
> > >
> > > The idea is that processes spawned into a container would be
> > > labelled by the container orchestration system. It's unclear
> > > what should happen to processes using nsenter after the fact, but
> > > policy for that should be up to the orchestration system.
> >
> > I'm fine with that. The user space policy can be anything y'all
> > like.
>
> I think there should be a login event.
I thought you wanted this for containers? Container creation doesn't
have login events. In an unprivileged orchestration system it may be
hard to synthetically manufacture them.
James
next prev parent reply other threads:[~2017-10-17 17:57 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-12 14:14 RFC(v2): Audit Kernel Container IDs Richard Guy Briggs
2017-10-12 14:14 ` Richard Guy Briggs
2017-10-12 15:45 ` Steve Grubb
2017-10-19 19:57 ` Richard Guy Briggs
2017-10-19 19:57 ` Richard Guy Briggs
[not found] ` <20171019195747.4ssujtaj3f5ipsoh-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 23:15 ` Aleksa Sarai
[not found] ` <8f495870-dd6c-23b9-b82b-4228a441c729-l3A5Bk7waGM@public.gmane.org>
2017-10-19 23:15 ` Aleksa Sarai
2017-10-20 2:25 ` Steve Grubb
2017-10-20 2:25 ` Steve Grubb
2017-10-20 2:25 ` Steve Grubb
2017-10-19 23:11 ` Aleksa Sarai
2017-10-19 19:57 ` Richard Guy Briggs
[not found] ` <20171012141359.saqdtnodwmbz33b2-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-12 15:45 ` Steve Grubb
2017-10-12 16:33 ` Casey Schaufler
2017-10-12 16:33 ` Casey Schaufler
2017-10-12 16:33 ` Casey Schaufler
[not found] ` <75b7d6a6-42ba-2dff-1836-1091c7c024e7-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-17 0:33 ` Richard Guy Briggs
2017-12-09 10:20 ` Mickaël Salaün
2017-12-09 10:20 ` Mickaël Salaün
[not found] ` <7ebca85a-425c-2b95-9a5f-59d81707339e-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2017-12-09 18:28 ` Casey Schaufler
2017-12-09 18:28 ` Casey Schaufler
2017-12-09 18:28 ` Casey Schaufler
2017-12-09 18:28 ` Casey Schaufler
2017-12-11 16:30 ` Eric Paris
2017-12-11 16:52 ` Casey Schaufler
[not found] ` <1513009857.6310.337.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-12-11 16:52 ` Casey Schaufler
2017-12-11 19:37 ` Steve Grubb
2017-12-11 19:37 ` Steve Grubb
2017-12-11 19:37 ` Steve Grubb
[not found] ` <f8ea78be-9bbf-2967-7b12-ac93bb85b0bc-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-12-11 16:30 ` Eric Paris
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-11 15:10 ` Richard Guy Briggs
2017-12-09 10:20 ` Mickaël Salaün
2017-10-17 0:33 ` Richard Guy Briggs
2017-10-17 1:10 ` Casey Schaufler
[not found] ` <81c15928-c445-fb8e-251c-bee566fbbf58-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-19 0:05 ` Richard Guy Briggs
2017-10-19 0:05 ` Richard Guy Briggs
2017-10-19 0:05 ` Richard Guy Briggs
[not found] ` <20171019000527.eio6dfsmujmtioyt-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-19 13:32 ` Casey Schaufler
2017-10-19 13:32 ` Casey Schaufler
[not found] ` <18cb69a5-f998-0e6e-85df-7f4b9b768a6f-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-19 15:51 ` Paul Moore
2017-10-19 15:51 ` Paul Moore
2017-10-19 13:32 ` Casey Schaufler
[not found] ` <20171017003340.whjdkqmkw4lydwy7-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2017-10-17 1:10 ` Casey Schaufler
2017-10-17 1:42 ` Steve Grubb
2017-10-17 1:42 ` Steve Grubb
2017-10-17 12:31 ` Simo Sorce
2017-10-17 12:31 ` Simo Sorce
2017-10-17 14:59 ` Casey Schaufler
[not found] ` <a07968f6-fef1-f49d-01f1-6c660c0ada20-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-17 15:28 ` Simo Sorce
2017-10-17 15:28 ` Simo Sorce
[not found] ` <1508254120.6230.34.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-10-17 15:44 ` James Bottomley
2017-10-17 15:44 ` James Bottomley
[not found] ` <1508255091.3129.27.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-10-17 16:43 ` Casey Schaufler
2017-10-18 20:56 ` Paul Moore
2017-10-18 20:56 ` Paul Moore
[not found] ` <CAHC9VhRV9m6-APj3ofMQc22rL-WUoDzB8-urUxryszjCHHHLTg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-10-18 23:46 ` Aleksa Sarai
2017-10-18 23:46 ` Aleksa Sarai
[not found] ` <49752b6f-8a77-d1e5-8acb-5a1eed0a992c-l3A5Bk7waGM@public.gmane.org>
2017-10-19 0:43 ` Eric W. Biederman
2017-10-19 0:43 ` Eric W. Biederman
2017-10-19 0:43 ` Eric W. Biederman
[not found] ` <871sm0j7bm.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-10-19 15:36 ` Paul Moore
2017-10-19 15:36 ` Paul Moore
[not found] ` <CAHC9VhTYF-MJm3ejWXE1H-eeXKaNBkeWKwdiKdj093xATYn7nQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-10-19 16:25 ` Eric W. Biederman
2017-10-19 16:25 ` Eric W. Biederman
[not found] ` <87y3o7gl5l.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-10-19 17:47 ` Paul Moore
2017-10-19 17:47 ` Paul Moore
2017-10-19 16:25 ` Eric W. Biederman
2017-10-19 15:36 ` Paul Moore
2017-10-17 16:43 ` Casey Schaufler
2017-10-17 17:15 ` Steve Grubb
2017-10-17 17:57 ` James Bottomley [this message]
2017-10-17 17:57 ` James Bottomley
[not found] ` <1508263063.3129.35.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-10-18 0:23 ` Steve Grubb
2017-10-18 0:23 ` Steve Grubb
[not found] ` <eb96144d-4ab5-7f9f-de18-b296db35a00a-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-17 17:15 ` Steve Grubb
2017-10-17 15:44 ` James Bottomley
2017-10-17 16:10 ` Casey Schaufler
2017-10-17 16:10 ` Casey Schaufler
[not found] ` <1508243469.6230.24.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-10-17 14:59 ` Casey Schaufler
2017-10-18 19:58 ` Paul Moore
2017-10-18 19:58 ` Paul Moore
2017-10-12 17:59 ` Eric W. Biederman
2017-10-12 17:59 ` Eric W. Biederman
2017-10-13 13:43 ` Alan Cox
2017-10-13 13:43 ` Alan Cox
2017-10-13 13:43 ` Alan Cox
2017-10-13 13:43 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
2017-10-12 14:14 Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1508263063.3129.35.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \
--cc=jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=mszeredi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=trondmy-7I+n7zu2hftEKMMhf/gKZA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.