From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aristeu Rozanski Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit Date: Wed, 19 Jun 2013 16:49:27 -0400 Message-ID: <20130619204927.GJ3212@redhat.com> References: <1371606834-5802-1-git-send-email-gaofeng@cn.fujitsu.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <1371606834-5802-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Gao feng Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org, matthltc-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org, sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org List-Id: containers.vger.kernel.org On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote: > This patchset is first part of namespace support for audit. > in this patchset, the mainly resources of audit system have > been isolated. the audit filter, rules havn't been isolated > now. It will be implemented in Part2. We finished the isolation > of user audit message in this patchset. > > I choose to assign audit to the user namespace. > Right now,there are six kinds of namespaces, such as > net, mount, ipc, pid, uts and user. the first five > namespaces have special usage. the audit isn't suitable to > belong to these five namespaces, And since the flag of system > call clone is in short supply, we can't provide a new flag such > as CLONE_NEWAUDIT to enable audit namespace separately. so the > user namespace may be the best choice. I thought it was said on the last submission that to tie userns and audit namespace would be a bad idea? -- Aristeu From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964812Ab3FSUt5 (ORCPT ); Wed, 19 Jun 2013 16:49:57 -0400 Received: from mx1.redhat.com ([209.132.183.28]:8639 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934971Ab3FSUt4 (ORCPT ); Wed, 19 Jun 2013 16:49:56 -0400 Date: Wed, 19 Jun 2013 16:49:27 -0400 From: Aristeu Rozanski To: Gao feng Cc: containers@lists.linux-foundation.org, linux-audit@redhat.com, linux-kernel@vger.kernel.org, serge.hallyn@ubuntu.com, eparis@redhat.com, ebiederm@xmission.com, matthltc@linux.vnet.ibm.com, sgrubb@redhat.com Subject: Re: [Part1 PATCH 00/22] Add namespace support for audit Message-ID: <20130619204927.GJ3212@redhat.com> References: <1371606834-5802-1-git-send-email-gaofeng@cn.fujitsu.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1371606834-5802-1-git-send-email-gaofeng@cn.fujitsu.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote: > This patchset is first part of namespace support for audit. > in this patchset, the mainly resources of audit system have > been isolated. the audit filter, rules havn't been isolated > now. It will be implemented in Part2. We finished the isolation > of user audit message in this patchset. > > I choose to assign audit to the user namespace. > Right now,there are six kinds of namespaces, such as > net, mount, ipc, pid, uts and user. the first five > namespaces have special usage. the audit isn't suitable to > belong to these five namespaces, And since the flag of system > call clone is in short supply, we can't provide a new flag such > as CLONE_NEWAUDIT to enable audit namespace separately. so the > user namespace may be the best choice. I thought it was said on the last submission that to tie userns and audit namespace would be a bad idea? -- Aristeu