linux-api.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <pmoore@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Steve Grubb <sgrubb@redhat.com>,
	containers@lists.linux-foundation.org,
	linux-kernel@vger.kernel.org, linux-audit@redhat.com,
	eparis@parisplace.org, arozansk@redhat.com,
	ebiederm@xmission.com, serge@hallyn.com,
	zohar@linux.vnet.ibm.com, viro@zeniv.linux.org.uk,
	linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org,
	netdev@vger.kernel.org
Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances
Date: Fri, 15 May 2015 16:26:41 -0400	[thread overview]
Message-ID: <2152640.VCSTRrx26A@sifl> (raw)
In-Reply-To: <20150515004855.GB10526@madcap2.tricolour.ca>

On Thursday, May 14, 2015 08:48:55 PM Richard Guy Briggs wrote:
> On 15/05/14, Steve Grubb wrote:
> > What they would want to know is what resources were assigned; if two
> > containers shared a resource, what resource and container was it shared
> > with; if two containers can communicate, we need to see or control
> > information flow when necessary; and we need to see termination and
> > release of resources.
>
> So, namespaces are a big part of this.  I understand how they are
> spawned and potentially shared.  I have a more vague idea about how
> cgroups contribute to this concept of a container.  So far, I have very
> little idea how seccomp contributes, but I assume that it will also need
> to be part of this tracking.

It doesn't, really.  We shouldn't worry about seccomp from a 
namespace/container auditing perspective.  The normal seccomp auditing should 
be sufficient for namespaces/containers.

-- 
paul moore
security @ redhat

  parent reply	other threads:[~2015-05-15 20:26 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <cover.1429252659.git.rgb@redhat.com>
     [not found] ` <cover.1429252659.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-04-17  7:35   ` [PATCH V6 03/10] audit: log namespace ID numbers Richard Guy Briggs
2015-04-17  7:35   ` [PATCH V6 05/10] audit: log creation and deletion of namespace instances Richard Guy Briggs
     [not found]     ` <11270b0b1afd0a25b108915673e1e1b38dfeeafa.1429252659.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-05-05 14:22       ` Steve Grubb
2015-05-05 14:31         ` Aristeu Rozanski
     [not found]           ` <20150505143119.GA4350-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-05-05 14:46             ` Steve Grubb
2015-05-05 14:56         ` Eric W. Biederman
     [not found]           ` <87pp6fhy4c.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-05 15:16             ` Steve Grubb
2015-05-12 19:57         ` Richard Guy Briggs
     [not found]           ` <20150512195759.GA9832-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-05-14 14:57             ` Steve Grubb
2015-05-14 15:42               ` Eric W. Biederman
     [not found]                 ` <87iobvnp1t.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-14 16:21                   ` Steve Grubb
2015-05-15  2:03                   ` Richard Guy Briggs
2015-05-14 19:19               ` Paul Moore
2015-05-15  1:31                 ` Eric W. Biederman
2015-05-15  2:25                   ` Richard Guy Briggs
     [not found]                   ` <87bnhmbp8e.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-15 13:17                     ` Steve Grubb
2015-05-15 14:51                       ` Eric W. Biederman
2015-05-15 21:01                   ` Paul Moore
2015-05-15  2:32                 ` Richard Guy Briggs
     [not found]                   ` <20150515023221.GC965-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-05-15  6:23                     ` Andy Lutomirski
     [not found]                       ` <CALCETrWzM4+Vs8OVJWBcWJfbR_DRSb+e7SmUyy6CS4sHQaTkRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-15 12:38                         ` Steve Grubb
2015-05-15 13:17                           ` Andy Lutomirski
2015-05-15 21:05                         ` Paul Moore
2015-05-16  9:46                           ` Daniel J Walsh
2015-05-16 12:16                             ` Paul Moore
     [not found]                               ` <CAHC9VhRKSK9=9qPF3dgALS=x1g3LinNeQvuhNV5TvQ=D7Szuag-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-16 14:46                                 ` Eric W. Biederman
     [not found]                                   ` <87r3qgpol6.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-05-16 22:49                                     ` Paul Moore
2015-05-19 13:09                                       ` Richard Guy Briggs
2015-05-19 14:27                                         ` Paul Moore
2015-05-15  0:48               ` Richard Guy Briggs
     [not found]                 ` <20150515004855.GB10526-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-05-15  1:10                   ` Oren Laadan
     [not found]                     ` <CAA4jN2bgynVTwF+owtXgq06JMLQJpy_qokpD0mAguNYeDxmh1A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-15  2:11                       ` Richard Guy Briggs
     [not found]                         ` <20150515021126.GA965-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-05-15 13:19                           ` Daniel J Walsh
2015-05-15 20:42                       ` Paul Moore
2015-05-15 20:26                 ` Paul Moore [this message]
2015-04-17  7:35   ` [PATCH V6 07/10] sched: add a macro to ref all CLONE_NEW* flags Richard Guy Briggs
     [not found]     ` <cf1ed24f71743ea7f85682f26f3185202a1f8a32.1429252659.git.rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-04-17  8:18       ` Peter Zijlstra
2015-04-17 15:42         ` Richard Guy Briggs
     [not found]           ` <20150417154250.GA26233-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2015-04-17 17:41             ` Peter Zijlstra
     [not found]               ` <20150417174131.GL23123-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2015-04-17 22:00                 ` Richard Guy Briggs
2015-04-17  7:35   ` [PATCH V6 09/10] audit: log on switching namespace (setns) Richard Guy Briggs
2015-04-17  7:35   ` [PATCH V6 10/10] audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2152640.VCSTRrx26A@sifl \
    --to=pmoore@redhat.com \
    --cc=arozansk@redhat.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=eparis@parisplace.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=rgb@redhat.com \
    --cc=serge@hallyn.com \
    --cc=sgrubb@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).