From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: aviro-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org
Subject: Re: [PATCH V5 06/13] audit: log creation and deletion of namespace instances
Date: Mon, 13 Oct 2014 14:26:06 +0200 [thread overview]
Message-ID: <20141013122606.GD24703@mail.hallyn.com> (raw)
In-Reply-To: <55b0228c68d0e74480ce73f88e05d16455c4c843.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Quoting Richard Guy Briggs (rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> Log the creation and deletion of namespace instances in all 6 types of
> namespaces.
>
> Twelve new audit message types have been introduced:
> AUDIT_NS_INIT_MNT 1330 /* Record mount namespace instance creation */
> AUDIT_NS_INIT_UTS 1331 /* Record UTS namespace instance creation */
> AUDIT_NS_INIT_IPC 1332 /* Record IPC namespace instance creation */
> AUDIT_NS_INIT_USER 1333 /* Record USER namespace instance creation */
> AUDIT_NS_INIT_PID 1334 /* Record PID namespace instance creation */
> AUDIT_NS_INIT_NET 1335 /* Record NET namespace instance creation */
> AUDIT_NS_DEL_MNT 1336 /* Record mount namespace instance deletion */
> AUDIT_NS_DEL_UTS 1337 /* Record UTS namespace instance deletion */
> AUDIT_NS_DEL_IPC 1338 /* Record IPC namespace instance deletion */
> AUDIT_NS_DEL_USER 1339 /* Record USER namespace instance deletion */
> AUDIT_NS_DEL_PID 1340 /* Record PID namespace instance deletion */
> AUDIT_NS_DEL_NET 1341 /* Record NET namespace instance deletion */
>
> As suggested by Eric Paris, there are 12 message types, one for each of
> creation and deletion, one for each type of namespace so that text searches are
> easier in conjunction with the AUDIT_NS_INFO message type, being able to search
> for all records such as "netns=7 " and to avoid fields disappearing per message
> type to make ausearch more efficient.
>
> A typical startup would look roughly like:
>
> type=AUDIT_NS_INIT_UTS msg=audit(1408577534.868:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_utsns=0 utsns=2 res=1
> type=AUDIT_NS_INIT_USER msg=audit(1408577534.868:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_userns=0 userns=3 res=1
> type=AUDIT_NS_INIT_PID msg=audit(1408577534.868:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_pidns=0 pidns=4 res=1
> type=AUDIT_NS_INIT_MNT msg=audit(1408577534.868:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_mntns=0 mntns=5 res=1
> type=AUDIT_NS_INIT_IPC msg=audit(1408577534.868:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_ipcns=0 ipcns=1 res=1
> type=AUDIT_NS_INIT_NET msg=audit(1408577533.500:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_netns=0 netns=7 res=1
>
> And a CLONE action would result in:
> type=type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 old_netns=7 netns=8 res=1
> type=type=AUDIT_NS_INIT_MNT msg=audit(1408577535.307:83): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 old_mntns=5 mntns=9 res=1
>
> While deleting a namespace would result in:
> type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 mntns=9 res=1
>
> If non-zero, old_snum lists the namespace from which it was cloned.
>
> Signed-off-by: Richard Guy Briggs <rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Acked-by: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
Two suggestions below though
> ---
> fs/namespace.c | 12 ++++++++++
> include/linux/audit.h | 8 +++++++
> include/uapi/linux/audit.h | 12 ++++++++++
> ipc/namespace.c | 10 +++++++++
> kernel/audit.c | 49 ++++++++++++++++++++++++++++++++++++++++++++
> kernel/pid_namespace.c | 10 +++++++++
> kernel/user_namespace.c | 11 +++++++++
> kernel/utsname.c | 11 +++++++++
> net/core/net_namespace.c | 12 ++++++++++
> 9 files changed, 135 insertions(+), 0 deletions(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index f433f21..cb05b3d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -24,6 +24,7 @@
> #include <linux/proc_ns.h>
> #include <linux/magic.h>
> #include <linux/bootmem.h>
> +#include <linux/audit.h>
> #include "pnode.h"
> #include "internal.h"
>
> @@ -2459,6 +2460,7 @@ dput_out:
>
> static void free_mnt_ns(struct mnt_namespace *ns)
> {
> + audit_log_ns_del(AUDIT_NS_DEL_MNT, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> put_user_ns(ns->user_ns);
> kfree(ns);
> @@ -2519,6 +2521,7 @@ struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
> new_ns = alloc_mnt_ns(user_ns);
> if (IS_ERR(new_ns))
> return new_ns;
> + audit_log_ns_init(AUDIT_NS_INIT_MNT, ns->serial_num, new_ns->serial_num);
>
> namespace_lock();
> /* First pass: copy the tree topology */
> @@ -2831,6 +2834,15 @@ static void __init init_mount_tree(void)
> set_fs_root(current->fs, &root);
> }
>
> +/* log the serial number of init mnt namespace after audit service starts */
> +static int __init mnt_ns_init_log(void)
> +{
> + struct mnt_namespace *init_mnt_ns = init_task.nsproxy->mnt_ns;
> + audit_log_ns_init(AUDIT_NS_INIT_MNT, 0, init_mnt_ns->serial_num);
> + return 0;
> +}
> +late_initcall(mnt_ns_init_log);
> +
> void __init mnt_init(void)
> {
> unsigned u;
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 7cdebdc..1474334 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -481,6 +481,9 @@ extern void audit_log_ns_info(struct task_struct *tsk);
> static inline void audit_log_ns_info(struct task_struct *tsk)
> { }
> #endif
> +extern int audit_log_ns_init(int type, long long old_snum,
> + long long snum);
> +extern int audit_log_ns_del(int type, long long snum);
>
> extern int audit_update_lsm_rules(void);
>
> @@ -539,6 +542,11 @@ static inline void audit_log_task_info(struct audit_buffer *ab,
> { }
> static inline void audit_log_ns_info(struct task_struct *tsk)
> { }
> +static inline int audit_log_ns_init(int type, long long old_snum,
> + long long snum)
> +{ }
> +static inline int audit_log_ns_del(int type, long long snum)
> +{ }
> #define audit_enabled 0
> #endif /* CONFIG_AUDIT */
> static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 760357e..1acfea7 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -111,6 +111,18 @@
> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> #define AUDIT_NS_INFO 1329 /* Record process namespace IDs */
> +#define AUDIT_NS_INIT_MNT 1330 /* Record mount namespace instance creation */
> +#define AUDIT_NS_INIT_UTS 1331 /* Record UTS namespace instance creation */
> +#define AUDIT_NS_INIT_IPC 1332 /* Record IPC namespace instance creation */
> +#define AUDIT_NS_INIT_USER 1333 /* Record USER namespace instance creation */
> +#define AUDIT_NS_INIT_PID 1334 /* Record PID namespace instance creation */
> +#define AUDIT_NS_INIT_NET 1335 /* Record NET namespace instance creation */
> +#define AUDIT_NS_DEL_MNT 1336 /* Record mount namespace instance deletion */
> +#define AUDIT_NS_DEL_UTS 1337 /* Record UTS namespace instance deletion */
> +#define AUDIT_NS_DEL_IPC 1338 /* Record IPC namespace instance deletion */
> +#define AUDIT_NS_DEL_USER 1339 /* Record USER namespace instance deletion */
> +#define AUDIT_NS_DEL_PID 1340 /* Record PID namespace instance deletion */
> +#define AUDIT_NS_DEL_NET 1341 /* Record NET namespace instance deletion */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/ipc/namespace.c b/ipc/namespace.c
> index 36ce7ff..538c4b9 100644
> --- a/ipc/namespace.c
> +++ b/ipc/namespace.c
> @@ -13,6 +13,7 @@
> #include <linux/mount.h>
> #include <linux/user_namespace.h>
> #include <linux/proc_ns.h>
> +#include <linux/audit.h>
>
> #include "util.h"
>
> @@ -42,6 +43,7 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns,
> atomic_inc(&nr_ipc_ns);
>
> ns->serial_num = ns_serial();
> + audit_log_ns_init(AUDIT_NS_INIT_IPC, old_ns->serial_num, ns->serial_num);
>
> sem_init_ns(ns);
> msg_init_ns(ns);
> @@ -121,6 +123,7 @@ static void free_ipc_ns(struct ipc_namespace *ns)
> */
> ipcns_notify(IPCNS_REMOVED);
> put_user_ns(ns->user_ns);
> + audit_log_ns_del(AUDIT_NS_DEL_IPC, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> kfree(ns);
> }
> @@ -207,3 +210,10 @@ const struct proc_ns_operations ipcns_operations = {
> .inum = ipcns_inum,
> .snum = ipcns_snum,
> };
> +
> +static int __init ipc_namespaces_init(void)
> +{
> + return audit_log_ns_init(AUDIT_NS_INIT_IPC, 0, init_ipc_ns.serial_num);
> +}
> +
> +late_initcall(ipc_namespaces_init);
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 8ff7f28..a17a09f 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1960,6 +1960,55 @@ out:
> kfree(name);
> }
>
> +#ifdef CONFIG_NAMESPACES
> +static char* ns_name[] = {
> + "mnt",
> + "uts",
> + "ipc",
> + "user",
> + "pid",
> + "net",
Comment here that the order corresponds to the AUDIT_NS_INIT_MNT..
#defines order, and maybe even move this next to those.
> +};
> +
> +/**
> + * audit_log_ns_init - report a namespace instance creation
> + * @type: type of audit namespace instance created message
> + * @old_snum: the serial number of the cloned namespace instance
> + * @snum: the serial number of the new namespace instance
> + */
> +int audit_log_ns_init(int type, long long old_snum, long long snum)
> +{
> + struct audit_buffer *ab;
> + char* audit_ns_name = ns_name[type - AUDIT_NS_INIT_MNT];
> +
> + if (type < AUDIT_NS_INIT_MNT || type > AUDIT_NS_INIT_NET)
probably worth defining an AUDIT_NS_INIT_FIRST and AUDIT_NS_INIT_LAST
in audit.h which can be updated at the source defines.
> + return 0;
> + audit_log_common_recv_msg(&ab, type);
> + audit_log_format(ab, " old_%sns=%llx %sns=%llx res=1",
> + audit_ns_name, old_snum, audit_ns_name, snum);
> + audit_log_end(ab);
> + return 0;
> +}
> +
> +/**
> + * audit_log_ns_del - report a namespace instance deleted
> + * @type: type of audit namespace instance deleted message
> + * @snum: the serial number of the namespace instance
> + */
> +int audit_log_ns_del(int type, long long snum)
> +{
> + struct audit_buffer *ab;
> + char* audit_ns_name = ns_name[type - AUDIT_NS_DEL_MNT];
> +
> + if (type < AUDIT_NS_DEL_MNT || type > AUDIT_NS_DEL_NET)
> + return 0;
> + audit_log_common_recv_msg(&ab, type);
> + audit_log_format(ab, " %ssn=%llx res=1", audit_ns_name, snum);
> + audit_log_end(ab);
> + return 0;
> +}
> +#endif /* CONFIG_NAMESPACES */
> +
> /**
> * audit_log_end - end one audit record
> * @ab: the audit_buffer
> diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
> index 059b330..7da351a 100644
> --- a/kernel/pid_namespace.c
> +++ b/kernel/pid_namespace.c
> @@ -18,6 +18,7 @@
> #include <linux/proc_ns.h>
> #include <linux/reboot.h>
> #include <linux/export.h>
> +#include <linux/audit.h>
>
> struct pid_cache {
> int nr_ids;
> @@ -110,6 +111,8 @@ static struct pid_namespace *create_pid_namespace(struct user_namespace *user_ns
> goto out_free_map;
>
> ns->serial_num = ns_serial();
> + audit_log_ns_init(AUDIT_NS_INIT_PID, parent_pid_ns->serial_num,
> + ns->serial_num);
>
> kref_init(&ns->kref);
> ns->level = level;
> @@ -144,6 +147,7 @@ static void destroy_pid_namespace(struct pid_namespace *ns)
> {
> int i;
>
> + audit_log_ns_del(AUDIT_NS_DEL_PID, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> for (i = 0; i < PIDMAP_ENTRIES; i++)
> kfree(ns->pidmap[i].page);
> @@ -397,3 +401,9 @@ static __init int pid_namespaces_init(void)
> }
>
> __initcall(pid_namespaces_init);
> +
> +static __init int pid_namespaces_late_init(void)
> +{
> + return audit_log_ns_init(AUDIT_NS_INIT_PID, 0, init_pid_ns.serial_num);
> +}
> +late_initcall(pid_namespaces_late_init);
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 3f04df5..24497a0 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -22,6 +22,7 @@
> #include <linux/ctype.h>
> #include <linux/projid.h>
> #include <linux/fs_struct.h>
> +#include <linux/audit.h>
>
> static struct kmem_cache *user_ns_cachep __read_mostly;
>
> @@ -93,6 +94,8 @@ int create_user_ns(struct cred *new)
> }
>
> ns->serial_num = ns_serial();
> + audit_log_ns_init(AUDIT_NS_INIT_USER, parent_ns->serial_num,
> + ns->serial_num);
>
> atomic_set(&ns->count, 1);
> /* Leave the new->user_ns reference with the new user namespace. */
> @@ -138,6 +141,7 @@ void free_user_ns(struct user_namespace *ns)
> #ifdef CONFIG_PERSISTENT_KEYRINGS
> key_put(ns->persistent_keyring_register);
> #endif
> + audit_log_ns_del(AUDIT_NS_DEL_USER, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> kmem_cache_free(user_ns_cachep, ns);
> ns = parent;
> @@ -918,3 +922,10 @@ static __init int user_namespaces_init(void)
> return 0;
> }
> subsys_initcall(user_namespaces_init);
> +
> +static __init int user_namespaces_late_init(void)
> +{
> + return audit_log_ns_init(AUDIT_NS_INIT_USER, 0,
> + init_user_ns.serial_num);
> +}
> +late_initcall(user_namespaces_late_init);
> diff --git a/kernel/utsname.c b/kernel/utsname.c
> index ffeac1b..05ecc2d 100644
> --- a/kernel/utsname.c
> +++ b/kernel/utsname.c
> @@ -16,6 +16,7 @@
> #include <linux/slab.h>
> #include <linux/user_namespace.h>
> #include <linux/proc_ns.h>
> +#include <linux/audit.h>
>
> static struct uts_namespace *create_uts_ns(void)
> {
> @@ -49,6 +50,7 @@ static struct uts_namespace *clone_uts_ns(struct user_namespace *user_ns,
> }
>
> ns->serial_num = ns_serial();
> + audit_log_ns_init(AUDIT_NS_INIT_UTS, old_ns->serial_num, ns->serial_num);
>
> down_read(&uts_sem);
> memcpy(&ns->name, &old_ns->name, sizeof(ns->name));
> @@ -86,6 +88,7 @@ void free_uts_ns(struct kref *kref)
>
> ns = container_of(kref, struct uts_namespace, kref);
> put_user_ns(ns->user_ns);
> + audit_log_ns_del(AUDIT_NS_DEL_UTS, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> kfree(ns);
> }
> @@ -148,3 +151,11 @@ const struct proc_ns_operations utsns_operations = {
> .inum = utsns_inum,
> .snum = utsns_snum,
> };
> +
> +static int __init uts_namespaces_init(void)
> +{
> + return audit_log_ns_init(AUDIT_NS_INIT_UTS, 0,
> + init_uts_ns.serial_num);
> +}
> +
> +late_initcall(uts_namespaces_init);
> diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
> index c402eea..295ecc3 100644
> --- a/net/core/net_namespace.c
> +++ b/net/core/net_namespace.c
> @@ -17,6 +17,7 @@
> #include <linux/user_namespace.h>
> #include <net/net_namespace.h>
> #include <net/netns/generic.h>
> +#include <linux/audit.h>
>
> /*
> * Our network namespace constructor/destructor lists
> @@ -253,6 +254,8 @@ struct net *copy_net_ns(unsigned long flags,
> mutex_lock(&net_mutex);
> rv = setup_net(net, user_ns);
> if (rv == 0) {
> + audit_log_ns_init(AUDIT_NS_INIT_NET, old_net->serial_num,
> + net->serial_num);
> rtnl_lock();
> list_add_tail_rcu(&net->list, &net_namespace_list);
> rtnl_unlock();
> @@ -395,6 +398,7 @@ static __net_init int net_ns_net_init(struct net *net)
>
> static __net_exit void net_ns_net_exit(struct net *net)
> {
> + audit_log_ns_del(AUDIT_NS_DEL_NET, net->serial_num);
> proc_free_inum(net->proc_inum);
> }
>
> @@ -441,6 +445,14 @@ static int __init net_ns_init(void)
>
> pure_initcall(net_ns_init);
>
> +/* log the serial number of init_net namespace after audit service starts */
> +static int __init net_ns_init_log(void)
> +{
> + audit_log_ns_init(AUDIT_NS_INIT_NET, 0, init_net.serial_num);
> + return 0;
> +}
> +late_initcall(net_ns_init_log);
> +
> #ifdef CONFIG_NET_NS
> static int __register_pernet_operations(struct list_head *list,
> struct pernet_operations *ops)
> --
> 1.7.1
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org, eparis@redhat.com,
sgrubb@redhat.com, aviro@redhat.com, pmoore@redhat.com,
arozansk@redhat.com, ebiederm@xmission.com, serge@hallyn.com
Subject: Re: [PATCH V5 06/13] audit: log creation and deletion of namespace instances
Date: Mon, 13 Oct 2014 14:26:06 +0200 [thread overview]
Message-ID: <20141013122606.GD24703@mail.hallyn.com> (raw)
In-Reply-To: <55b0228c68d0e74480ce73f88e05d16455c4c843.1412543112.git.rgb@redhat.com>
Quoting Richard Guy Briggs (rgb@redhat.com):
> Log the creation and deletion of namespace instances in all 6 types of
> namespaces.
>
> Twelve new audit message types have been introduced:
> AUDIT_NS_INIT_MNT 1330 /* Record mount namespace instance creation */
> AUDIT_NS_INIT_UTS 1331 /* Record UTS namespace instance creation */
> AUDIT_NS_INIT_IPC 1332 /* Record IPC namespace instance creation */
> AUDIT_NS_INIT_USER 1333 /* Record USER namespace instance creation */
> AUDIT_NS_INIT_PID 1334 /* Record PID namespace instance creation */
> AUDIT_NS_INIT_NET 1335 /* Record NET namespace instance creation */
> AUDIT_NS_DEL_MNT 1336 /* Record mount namespace instance deletion */
> AUDIT_NS_DEL_UTS 1337 /* Record UTS namespace instance deletion */
> AUDIT_NS_DEL_IPC 1338 /* Record IPC namespace instance deletion */
> AUDIT_NS_DEL_USER 1339 /* Record USER namespace instance deletion */
> AUDIT_NS_DEL_PID 1340 /* Record PID namespace instance deletion */
> AUDIT_NS_DEL_NET 1341 /* Record NET namespace instance deletion */
>
> As suggested by Eric Paris, there are 12 message types, one for each of
> creation and deletion, one for each type of namespace so that text searches are
> easier in conjunction with the AUDIT_NS_INFO message type, being able to search
> for all records such as "netns=7 " and to avoid fields disappearing per message
> type to make ausearch more efficient.
>
> A typical startup would look roughly like:
>
> type=AUDIT_NS_INIT_UTS msg=audit(1408577534.868:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_utsns=0 utsns=2 res=1
> type=AUDIT_NS_INIT_USER msg=audit(1408577534.868:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_userns=0 userns=3 res=1
> type=AUDIT_NS_INIT_PID msg=audit(1408577534.868:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_pidns=0 pidns=4 res=1
> type=AUDIT_NS_INIT_MNT msg=audit(1408577534.868:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_mntns=0 mntns=5 res=1
> type=AUDIT_NS_INIT_IPC msg=audit(1408577534.868:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_ipcns=0 ipcns=1 res=1
> type=AUDIT_NS_INIT_NET msg=audit(1408577533.500:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_netns=0 netns=7 res=1
>
> And a CLONE action would result in:
> type=type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 old_netns=7 netns=8 res=1
> type=type=AUDIT_NS_INIT_MNT msg=audit(1408577535.307:83): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 old_mntns=5 mntns=9 res=1
>
> While deleting a namespace would result in:
> type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 mntns=9 res=1
>
> If non-zero, old_snum lists the namespace from which it was cloned.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Two suggestions below though
> ---
> fs/namespace.c | 12 ++++++++++
> include/linux/audit.h | 8 +++++++
> include/uapi/linux/audit.h | 12 ++++++++++
> ipc/namespace.c | 10 +++++++++
> kernel/audit.c | 49 ++++++++++++++++++++++++++++++++++++++++++++
> kernel/pid_namespace.c | 10 +++++++++
> kernel/user_namespace.c | 11 +++++++++
> kernel/utsname.c | 11 +++++++++
> net/core/net_namespace.c | 12 ++++++++++
> 9 files changed, 135 insertions(+), 0 deletions(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index f433f21..cb05b3d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -24,6 +24,7 @@
> #include <linux/proc_ns.h>
> #include <linux/magic.h>
> #include <linux/bootmem.h>
> +#include <linux/audit.h>
> #include "pnode.h"
> #include "internal.h"
>
> @@ -2459,6 +2460,7 @@ dput_out:
>
> static void free_mnt_ns(struct mnt_namespace *ns)
> {
> + audit_log_ns_del(AUDIT_NS_DEL_MNT, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> put_user_ns(ns->user_ns);
> kfree(ns);
> @@ -2519,6 +2521,7 @@ struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
> new_ns = alloc_mnt_ns(user_ns);
> if (IS_ERR(new_ns))
> return new_ns;
> + audit_log_ns_init(AUDIT_NS_INIT_MNT, ns->serial_num, new_ns->serial_num);
>
> namespace_lock();
> /* First pass: copy the tree topology */
> @@ -2831,6 +2834,15 @@ static void __init init_mount_tree(void)
> set_fs_root(current->fs, &root);
> }
>
> +/* log the serial number of init mnt namespace after audit service starts */
> +static int __init mnt_ns_init_log(void)
> +{
> + struct mnt_namespace *init_mnt_ns = init_task.nsproxy->mnt_ns;
> + audit_log_ns_init(AUDIT_NS_INIT_MNT, 0, init_mnt_ns->serial_num);
> + return 0;
> +}
> +late_initcall(mnt_ns_init_log);
> +
> void __init mnt_init(void)
> {
> unsigned u;
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 7cdebdc..1474334 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -481,6 +481,9 @@ extern void audit_log_ns_info(struct task_struct *tsk);
> static inline void audit_log_ns_info(struct task_struct *tsk)
> { }
> #endif
> +extern int audit_log_ns_init(int type, long long old_snum,
> + long long snum);
> +extern int audit_log_ns_del(int type, long long snum);
>
> extern int audit_update_lsm_rules(void);
>
> @@ -539,6 +542,11 @@ static inline void audit_log_task_info(struct audit_buffer *ab,
> { }
> static inline void audit_log_ns_info(struct task_struct *tsk)
> { }
> +static inline int audit_log_ns_init(int type, long long old_snum,
> + long long snum)
> +{ }
> +static inline int audit_log_ns_del(int type, long long snum)
> +{ }
> #define audit_enabled 0
> #endif /* CONFIG_AUDIT */
> static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 760357e..1acfea7 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -111,6 +111,18 @@
> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> #define AUDIT_NS_INFO 1329 /* Record process namespace IDs */
> +#define AUDIT_NS_INIT_MNT 1330 /* Record mount namespace instance creation */
> +#define AUDIT_NS_INIT_UTS 1331 /* Record UTS namespace instance creation */
> +#define AUDIT_NS_INIT_IPC 1332 /* Record IPC namespace instance creation */
> +#define AUDIT_NS_INIT_USER 1333 /* Record USER namespace instance creation */
> +#define AUDIT_NS_INIT_PID 1334 /* Record PID namespace instance creation */
> +#define AUDIT_NS_INIT_NET 1335 /* Record NET namespace instance creation */
> +#define AUDIT_NS_DEL_MNT 1336 /* Record mount namespace instance deletion */
> +#define AUDIT_NS_DEL_UTS 1337 /* Record UTS namespace instance deletion */
> +#define AUDIT_NS_DEL_IPC 1338 /* Record IPC namespace instance deletion */
> +#define AUDIT_NS_DEL_USER 1339 /* Record USER namespace instance deletion */
> +#define AUDIT_NS_DEL_PID 1340 /* Record PID namespace instance deletion */
> +#define AUDIT_NS_DEL_NET 1341 /* Record NET namespace instance deletion */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/ipc/namespace.c b/ipc/namespace.c
> index 36ce7ff..538c4b9 100644
> --- a/ipc/namespace.c
> +++ b/ipc/namespace.c
> @@ -13,6 +13,7 @@
> #include <linux/mount.h>
> #include <linux/user_namespace.h>
> #include <linux/proc_ns.h>
> +#include <linux/audit.h>
>
> #include "util.h"
>
> @@ -42,6 +43,7 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns,
> atomic_inc(&nr_ipc_ns);
>
> ns->serial_num = ns_serial();
> + audit_log_ns_init(AUDIT_NS_INIT_IPC, old_ns->serial_num, ns->serial_num);
>
> sem_init_ns(ns);
> msg_init_ns(ns);
> @@ -121,6 +123,7 @@ static void free_ipc_ns(struct ipc_namespace *ns)
> */
> ipcns_notify(IPCNS_REMOVED);
> put_user_ns(ns->user_ns);
> + audit_log_ns_del(AUDIT_NS_DEL_IPC, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> kfree(ns);
> }
> @@ -207,3 +210,10 @@ const struct proc_ns_operations ipcns_operations = {
> .inum = ipcns_inum,
> .snum = ipcns_snum,
> };
> +
> +static int __init ipc_namespaces_init(void)
> +{
> + return audit_log_ns_init(AUDIT_NS_INIT_IPC, 0, init_ipc_ns.serial_num);
> +}
> +
> +late_initcall(ipc_namespaces_init);
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 8ff7f28..a17a09f 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1960,6 +1960,55 @@ out:
> kfree(name);
> }
>
> +#ifdef CONFIG_NAMESPACES
> +static char* ns_name[] = {
> + "mnt",
> + "uts",
> + "ipc",
> + "user",
> + "pid",
> + "net",
Comment here that the order corresponds to the AUDIT_NS_INIT_MNT..
#defines order, and maybe even move this next to those.
> +};
> +
> +/**
> + * audit_log_ns_init - report a namespace instance creation
> + * @type: type of audit namespace instance created message
> + * @old_snum: the serial number of the cloned namespace instance
> + * @snum: the serial number of the new namespace instance
> + */
> +int audit_log_ns_init(int type, long long old_snum, long long snum)
> +{
> + struct audit_buffer *ab;
> + char* audit_ns_name = ns_name[type - AUDIT_NS_INIT_MNT];
> +
> + if (type < AUDIT_NS_INIT_MNT || type > AUDIT_NS_INIT_NET)
probably worth defining an AUDIT_NS_INIT_FIRST and AUDIT_NS_INIT_LAST
in audit.h which can be updated at the source defines.
> + return 0;
> + audit_log_common_recv_msg(&ab, type);
> + audit_log_format(ab, " old_%sns=%llx %sns=%llx res=1",
> + audit_ns_name, old_snum, audit_ns_name, snum);
> + audit_log_end(ab);
> + return 0;
> +}
> +
> +/**
> + * audit_log_ns_del - report a namespace instance deleted
> + * @type: type of audit namespace instance deleted message
> + * @snum: the serial number of the namespace instance
> + */
> +int audit_log_ns_del(int type, long long snum)
> +{
> + struct audit_buffer *ab;
> + char* audit_ns_name = ns_name[type - AUDIT_NS_DEL_MNT];
> +
> + if (type < AUDIT_NS_DEL_MNT || type > AUDIT_NS_DEL_NET)
> + return 0;
> + audit_log_common_recv_msg(&ab, type);
> + audit_log_format(ab, " %ssn=%llx res=1", audit_ns_name, snum);
> + audit_log_end(ab);
> + return 0;
> +}
> +#endif /* CONFIG_NAMESPACES */
> +
> /**
> * audit_log_end - end one audit record
> * @ab: the audit_buffer
> diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
> index 059b330..7da351a 100644
> --- a/kernel/pid_namespace.c
> +++ b/kernel/pid_namespace.c
> @@ -18,6 +18,7 @@
> #include <linux/proc_ns.h>
> #include <linux/reboot.h>
> #include <linux/export.h>
> +#include <linux/audit.h>
>
> struct pid_cache {
> int nr_ids;
> @@ -110,6 +111,8 @@ static struct pid_namespace *create_pid_namespace(struct user_namespace *user_ns
> goto out_free_map;
>
> ns->serial_num = ns_serial();
> + audit_log_ns_init(AUDIT_NS_INIT_PID, parent_pid_ns->serial_num,
> + ns->serial_num);
>
> kref_init(&ns->kref);
> ns->level = level;
> @@ -144,6 +147,7 @@ static void destroy_pid_namespace(struct pid_namespace *ns)
> {
> int i;
>
> + audit_log_ns_del(AUDIT_NS_DEL_PID, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> for (i = 0; i < PIDMAP_ENTRIES; i++)
> kfree(ns->pidmap[i].page);
> @@ -397,3 +401,9 @@ static __init int pid_namespaces_init(void)
> }
>
> __initcall(pid_namespaces_init);
> +
> +static __init int pid_namespaces_late_init(void)
> +{
> + return audit_log_ns_init(AUDIT_NS_INIT_PID, 0, init_pid_ns.serial_num);
> +}
> +late_initcall(pid_namespaces_late_init);
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 3f04df5..24497a0 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -22,6 +22,7 @@
> #include <linux/ctype.h>
> #include <linux/projid.h>
> #include <linux/fs_struct.h>
> +#include <linux/audit.h>
>
> static struct kmem_cache *user_ns_cachep __read_mostly;
>
> @@ -93,6 +94,8 @@ int create_user_ns(struct cred *new)
> }
>
> ns->serial_num = ns_serial();
> + audit_log_ns_init(AUDIT_NS_INIT_USER, parent_ns->serial_num,
> + ns->serial_num);
>
> atomic_set(&ns->count, 1);
> /* Leave the new->user_ns reference with the new user namespace. */
> @@ -138,6 +141,7 @@ void free_user_ns(struct user_namespace *ns)
> #ifdef CONFIG_PERSISTENT_KEYRINGS
> key_put(ns->persistent_keyring_register);
> #endif
> + audit_log_ns_del(AUDIT_NS_DEL_USER, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> kmem_cache_free(user_ns_cachep, ns);
> ns = parent;
> @@ -918,3 +922,10 @@ static __init int user_namespaces_init(void)
> return 0;
> }
> subsys_initcall(user_namespaces_init);
> +
> +static __init int user_namespaces_late_init(void)
> +{
> + return audit_log_ns_init(AUDIT_NS_INIT_USER, 0,
> + init_user_ns.serial_num);
> +}
> +late_initcall(user_namespaces_late_init);
> diff --git a/kernel/utsname.c b/kernel/utsname.c
> index ffeac1b..05ecc2d 100644
> --- a/kernel/utsname.c
> +++ b/kernel/utsname.c
> @@ -16,6 +16,7 @@
> #include <linux/slab.h>
> #include <linux/user_namespace.h>
> #include <linux/proc_ns.h>
> +#include <linux/audit.h>
>
> static struct uts_namespace *create_uts_ns(void)
> {
> @@ -49,6 +50,7 @@ static struct uts_namespace *clone_uts_ns(struct user_namespace *user_ns,
> }
>
> ns->serial_num = ns_serial();
> + audit_log_ns_init(AUDIT_NS_INIT_UTS, old_ns->serial_num, ns->serial_num);
>
> down_read(&uts_sem);
> memcpy(&ns->name, &old_ns->name, sizeof(ns->name));
> @@ -86,6 +88,7 @@ void free_uts_ns(struct kref *kref)
>
> ns = container_of(kref, struct uts_namespace, kref);
> put_user_ns(ns->user_ns);
> + audit_log_ns_del(AUDIT_NS_DEL_UTS, ns->serial_num);
> proc_free_inum(ns->proc_inum);
> kfree(ns);
> }
> @@ -148,3 +151,11 @@ const struct proc_ns_operations utsns_operations = {
> .inum = utsns_inum,
> .snum = utsns_snum,
> };
> +
> +static int __init uts_namespaces_init(void)
> +{
> + return audit_log_ns_init(AUDIT_NS_INIT_UTS, 0,
> + init_uts_ns.serial_num);
> +}
> +
> +late_initcall(uts_namespaces_init);
> diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
> index c402eea..295ecc3 100644
> --- a/net/core/net_namespace.c
> +++ b/net/core/net_namespace.c
> @@ -17,6 +17,7 @@
> #include <linux/user_namespace.h>
> #include <net/net_namespace.h>
> #include <net/netns/generic.h>
> +#include <linux/audit.h>
>
> /*
> * Our network namespace constructor/destructor lists
> @@ -253,6 +254,8 @@ struct net *copy_net_ns(unsigned long flags,
> mutex_lock(&net_mutex);
> rv = setup_net(net, user_ns);
> if (rv == 0) {
> + audit_log_ns_init(AUDIT_NS_INIT_NET, old_net->serial_num,
> + net->serial_num);
> rtnl_lock();
> list_add_tail_rcu(&net->list, &net_namespace_list);
> rtnl_unlock();
> @@ -395,6 +398,7 @@ static __net_init int net_ns_net_init(struct net *net)
>
> static __net_exit void net_ns_net_exit(struct net *net)
> {
> + audit_log_ns_del(AUDIT_NS_DEL_NET, net->serial_num);
> proc_free_inum(net->proc_inum);
> }
>
> @@ -441,6 +445,14 @@ static int __init net_ns_init(void)
>
> pure_initcall(net_ns_init);
>
> +/* log the serial number of init_net namespace after audit service starts */
> +static int __init net_ns_init_log(void)
> +{
> + audit_log_ns_init(AUDIT_NS_INIT_NET, 0, init_net.serial_num);
> + return 0;
> +}
> +late_initcall(net_ns_init_log);
> +
> #ifdef CONFIG_NET_NS
> static int __register_pernet_operations(struct list_head *list,
> struct pernet_operations *ops)
> --
> 1.7.1
next prev parent reply other threads:[~2014-10-13 12:26 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-06 5:08 [PATCH V5 00/13] namespaces: log namespaces per task Richard Guy Briggs
2014-10-06 5:08 ` Richard Guy Briggs
2014-10-06 5:08 ` [PATCH V5 05/13] audit: initialize at subsystem time rather than device time Richard Guy Briggs
[not found] ` <7fda57304bb2f74ccb7f610c04df6aa0c04bf4ba.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 12:30 ` Serge E. Hallyn
2014-10-13 12:30 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 09/13] fork: audit on creation of new namespace(s) Richard Guy Briggs
[not found] ` <b9607ab778a84381b4a82cf0110d031f19b17525.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 13:14 ` Serge E. Hallyn
2014-10-13 13:14 ` Serge E. Hallyn
[not found] ` <cover.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-06 5:08 ` [PATCH V5 01/13] namespaces: assign each namespace instance a serial number Richard Guy Briggs
2014-10-06 5:08 ` Richard Guy Briggs
[not found] ` <8bc6e9595dea17bba389f4d2ce4077c30b3eb137.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-06 9:16 ` Chen, Hanxiao
2014-10-06 9:16 ` Chen, Hanxiao
[not found] ` <5871495633F38949900D2BF2DC04883E5DAB74-ZEd+hNNJ6a5ZYpXjqAkB5jz3u5zwRJJDAzI0kPv9QBlmR6Xm/wNWPw@public.gmane.org>
2014-10-06 12:46 ` Richard Guy Briggs
2014-10-06 12:46 ` Richard Guy Briggs
2014-10-13 10:30 ` Serge E. Hallyn
2014-10-13 10:30 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 02/13] namespaces: expose namespace instance serial number in proc_ns_operations Richard Guy Briggs
2014-10-06 5:08 ` Richard Guy Briggs
[not found] ` <ebec33a351a8af7822a24d9bed81178c786a0b1a.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 10:32 ` Serge E. Hallyn
2014-10-13 10:32 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 03/13] namespaces: expose ns_entries Richard Guy Briggs
2014-10-06 5:08 ` Richard Guy Briggs
[not found] ` <3ff967555ff72bf7efdf665a7209b55e4bd7f027.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 10:33 ` Serge E. Hallyn
2014-10-13 10:33 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 04/13] audit: log namespace serial numbers Richard Guy Briggs
2014-10-06 5:08 ` Richard Guy Briggs
2014-10-06 5:08 ` [PATCH V5 05/13] audit: initialize at subsystem time rather than device time Richard Guy Briggs
2014-10-06 5:08 ` [PATCH V5 06/13] audit: log creation and deletion of namespace instances Richard Guy Briggs
2014-10-06 5:08 ` Richard Guy Briggs
[not found] ` <55b0228c68d0e74480ce73f88e05d16455c4c843.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 12:26 ` Serge E. Hallyn [this message]
2014-10-13 12:26 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 07/13] audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO Richard Guy Briggs
2014-10-06 5:08 ` Richard Guy Briggs
[not found] ` <2503a41768e92791f9901e8ee7c132634821a2db.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 12:30 ` Serge E. Hallyn
2014-10-13 12:30 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 08/13] sched: add a macro to ref all CLONE_NEW* flags Richard Guy Briggs
2014-10-06 5:08 ` Richard Guy Briggs
[not found] ` <958367f30fb7eddaa406487e63ec1889138ef54f.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-06 9:21 ` Chen, Hanxiao
2014-10-06 9:21 ` Chen, Hanxiao
[not found] ` <5871495633F38949900D2BF2DC04883E5DABA4-ZEd+hNNJ6a5ZYpXjqAkB5jz3u5zwRJJDAzI0kPv9QBlmR6Xm/wNWPw@public.gmane.org>
2014-10-06 12:47 ` Richard Guy Briggs
2014-10-06 12:47 ` Richard Guy Briggs
2014-10-13 13:15 ` Serge E. Hallyn
2014-10-13 13:15 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 09/13] fork: audit on creation of new namespace(s) Richard Guy Briggs
2014-10-06 5:08 ` [PATCH V5 10/13] audit: log on switching namespace (setns) Richard Guy Briggs
2014-10-06 5:08 ` [PATCH V5 11/13] audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record Richard Guy Briggs
2014-10-06 5:08 ` [PATCH V5 12/13] namespaces: expose ns instance serial numbers in proc Richard Guy Briggs
2014-10-06 5:08 ` [PATCH V5 13/13] Documentation: add a section for /proc/<pid>/ns/ Richard Guy Briggs
2014-10-06 5:08 ` [PATCH V5 10/13] audit: log on switching namespace (setns) Richard Guy Briggs
[not found] ` <5df56a7fa372cf86ca7d5f3807178710097b4c27.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 13:22 ` Serge E. Hallyn
2014-10-13 13:22 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 11/13] audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record Richard Guy Briggs
[not found] ` <ad90efa917cfa5995421d36c84754f05e1934c53.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 13:34 ` Serge E. Hallyn
2014-10-13 13:34 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 12/13] namespaces: expose ns instance serial numbers in proc Richard Guy Briggs
[not found] ` <53b81e89f7179ef8569409293f990b3ac7deac61.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 13:41 ` Serge E. Hallyn
2014-10-13 13:41 ` Serge E. Hallyn
2014-10-06 5:08 ` [PATCH V5 13/13] Documentation: add a section for /proc/<pid>/ns/ Richard Guy Briggs
[not found] ` <982503bc4e4c24cbdebd111b27191ed5bee75572.1412543112.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-10-13 13:46 ` Serge E. Hallyn
2014-10-13 13:46 ` Serge E. Hallyn
[not found] ` <20141013134659.GL24703-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2014-10-14 14:25 ` Richard Guy Briggs
2014-10-14 14:25 ` Richard Guy Briggs
2014-10-14 22:03 ` Serge E. Hallyn
2014-10-14 22:03 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141013122606.GD24703@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=aviro-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=sgrubb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.