From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: rgb@redhat.com
Subject: Re: [PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules
Date: Mon, 15 Dec 2014 16:14:56 -0500 [thread overview]
Message-ID: <3169105.kXYAHVmUfq@x2> (raw)
In-Reply-To: <2316741.ge35UybDDq@sifl>
On Monday, December 15, 2014 02:03:05 PM Paul Moore wrote:
> > Lets say I and in the non-init pid namespace.
> >
> > I run audictl -a exit,always -S all -F pid=1
> >
> > Is the audit system going to show records for what I think is pid=1 or
> > what the initial pid namespace thinks is pid=1 ?
>
> The initial namespace. If we want the executing task's current namespace
> we should probably change audit_filter_user_rules().
>
> > Which is correct? (hint, it's impossible to know pids above my
> > namespace, or even to know what pid the process in question thinks it
> > is, since it could be below my namespace)
>
> Heh. I'm sorry, I tend to laugh when I hear the term "correct" during an
> audit discussion
>
> Steve, Richard, Eric - what do you guys want: initial or current namespace?
To be clear, this pid name space is normally used in conjunction with
containers. We don't want any events from within a container unless we also
have an audit name space. Everything inside the container is potentially
operating out side the security policy of the system.
So, I'd be fine with them being on the init namespace since we have a lot more
work to do for containers. The autrace use case is likely to be the only user
of pid in the audit rules because its useless for nearly anything else. The
audit by process name feature is what most people will use as soon as its
upstreamed.
Thanks,
-Steve
next prev parent reply other threads:[~2014-12-15 21:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-15 17:14 [PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules Paul Moore
2014-12-15 17:29 ` Eric Paris
2014-12-15 18:50 ` Richard Guy Briggs
2014-12-15 18:51 ` Eric Paris
2014-12-15 19:15 ` Paul Moore
2014-12-15 19:33 ` Richard Guy Briggs
2014-12-15 19:58 ` Paul Moore
2014-12-15 19:14 ` Paul Moore
2014-12-15 19:03 ` Paul Moore
2014-12-15 21:14 ` Steve Grubb [this message]
2014-12-15 21:24 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3169105.kXYAHVmUfq@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox