From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: [PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules Date: Mon, 15 Dec 2014 16:24:48 -0500 Message-ID: <1418678688.3145.18.camel@redhat.com> References: <20141215171414.30169.46068.stgit@localhost> <1418664592.3145.3.camel@redhat.com> <2316741.ge35UybDDq@sifl> <3169105.kXYAHVmUfq@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <3169105.kXYAHVmUfq@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: rgb@redhat.com, linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, 2014-12-15 at 16:14 -0500, Steve Grubb wrote: > We don't want any events from within a container unless we also > have an audit name space. Everything inside the container is potentially > operating out side the security policy of the system. I am not arguing with any of the substance/meaning of what you intend in any way. However, every time someone uses the word 'container' they are severely mis-characterizing the problem space. There are no containers. It's even worse to say 'container' than it is to say 'the path.' Containers are a userspace construct made out of numerous disjoint kernel primitives (mainly the numerous namespaces). The kernel does not, can not, and will not every know about a 'container.' This MUST be a key concept when we think about how to make audit work in a world where people want to use kernel namespaces.