From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aristeu Rozanski Subject: Re: [PATCH RFC 7/8] audit: report namespace information along with USER events Date: Tue, 19 Mar 2013 08:08:05 -0400 Message-ID: <20130319120805.GB20187@redhat.com> References: <1363619405-6419-1-git-send-email-arozansk@redhat.com> <1363619405-6419-8-git-send-email-arozansk@redhat.com> <871ubc9yda.fsf@xmission.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <871ubc9yda.fsf@xmission.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Eric W. Biederman" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, Mar 18, 2013 at 02:44:33PM -0700, Eric W. Biederman wrote: > Aristeu Rozanski writes: > > > For userspace generated events, include a record with the namespace > > procfs inode numbers the process belongs to. This allows to track down > > and filter audit messages by userspace. > > I am not comfortable with using the inode numbers this way. It does not > pass the test of can I migrate a container and still have this work > test. Any kind of kernel assigned name for namespaces fails that test. > > I also don't like that you don't include the procfs device number. An > inode number means nothing without knowing which filesystem you are > referring to. > > It may never happen but I reserve the right to have the inode numbers > for namespaces to show up differently in different instances of procfs. well, in this case the whole idea is invalid. there's no way to reliably identify which namespaces a process belongs to for logging purposes. > Beyond that I think this usage is possibly buggy by using two audit > records for one event. this is valid, the records are related and they show up with the same timestamp. -- Aristeu