From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Lutomirski Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances Date: Thu, 14 May 2015 23:23:09 -0700 Message-ID: References: <20150512195759.GA9832@madcap2.tricolour.ca> <2918460.dpKocsKt4o@x2> <12675437.ssZNCck7zG@sifl> <20150515023221.GC965@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Return-path: In-Reply-To: <20150515023221.GC965-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Richard Guy Briggs Cc: Paul Moore , Steve Grubb , "Eric W. Biederman" , Linux Containers , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Eric Paris , arozansk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, "Serge E. Hallyn" , Mimi Zohar , Al Viro , Linux FS Devel , Linux API , Network Development List-Id: linux-api@vger.kernel.org On Thu, May 14, 2015 at 7:32 PM, Richard Guy Briggs wrote: > On 15/05/14, Paul Moore wrote: >> * Look at our existing audit records to determine which records should have >> namespace and container ID tokens added. We may only want to add the >> additional fields in the case where the namespace/container ID tokens are not >> the init namespace. > > If we have a record that ties a set of namespace IDs with a container > ID, then I expect we only need to list the containerID along with auid > and sessionID. The problem here is that the kernel has no concept of a "container", and I don't think it makes any sense to add one just for audit. "Container" is a marketing term used by some userspace tools. I can imagine that both audit could benefit from a concept of a namespace *path* that understands nesting (e.g. root/2/5/1 or something along those lines). Mapping these to "containers" belongs in userspace, I think. --Andy