From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nicolas Dichtel Subject: Re: [PATCH 0/2] namespaces: log namespaces per task Date: Mon, 05 May 2014 11:23:07 +0200 Message-ID: <5367587B.20801@6wind.com> References: <20140501223212.GA25669@mail.hallyn.com> <20140502142851.GC24111@madcap2.tricolour.ca> Reply-To: nicolas.dichtel@6wind.com Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <20140502142851.GC24111@madcap2.tricolour.ca> Sender: linux-kernel-owner@vger.kernel.org To: Richard Guy Briggs , "Serge E. Hallyn" Cc: containers@lists.linux-foundation.org, serge.hallyn@ubuntu.com, linux-kernel@vger.kernel.org, linux-audit@redhat.com, ebiederm@xmission.com List-Id: linux-audit@redhat.com Le 02/05/2014 16:28, Richard Guy Briggs a =E9crit : > On 14/05/02, Serge E. Hallyn wrote: >> Quoting Richard Guy Briggs (rgb@redhat.com): >>> I saw no replies to my questions when I replied a year after Aris' = posting, so >>> I don't know if it was ignored or got lost in stale threads: >>> https://www.redhat.com/archives/linux-audit/2013-March/msg= 00020.html >>> https://www.redhat.com/archives/linux-audit/2013-March/msg= 00033.html >>> (https://lists.linux-foundation.org/pipermail/containers/2013-Marc= h/032063.html) >>> https://www.redhat.com/archives/linux-audit/2014-January/m= sg00180.html >>> >>> I've tried to answer a number of questions that were raised in that= thread. >>> >>> The goal is not quite identical to Aris' patchset. >>> >>> The purpose is to track namespaces in use by logged processes from = the >>> perspective of init_*_ns. The first patch defines a function to li= st them. >>> The second patch provides an example of usage for audit_log_task_in= fo() which >>> is used by syscall audits, among others. audit_log_task() and >>> audit_common_recv_message() would be other potential use cases. >>> >>> Use a serial number per namespace (unique across one boot of one ke= rnel) >>> instead of the inode number (which is claimed to have had the right= to change >>> reserved and is not necessarily unique if there is more than one pr= oc fs). It >>> could be argued that the inode numbers have now become a defacto in= terface and >>> can't change now, but I'm proposing this approach to see if this he= lps address >>> some of the objections to the earlier patchset. >>> >>> There could also have messages added to track the creation and the = destruction >>> of namespaces, listing the parent for hierarchical namespaces such = as pidns, >>> userns, and listing other ids for non-hierarchical namespaces, as w= ell as other >>> information to help identify a namespace. >>> >>> There has been some progress made for audit in net namespaces and p= id >>> namespaces since this previous thread. net namespaces are now serv= ed as peers >>> by one auditd in the init_net namespace with processes in a non-ini= t_net >>> namespace being able to write records if they are in the init_user_= ns and have >>> CAP_AUDIT_WRITE. Processes in a non-init_pid_ns can now similarly = write >>> records. As for CAP_AUDIT_READ, I just posted a patchset to check = capabilities >>> of userspace processes that try to join netlink broadcast groups. >>> >>> >>> Questions: >>> Is there a way to link serial numbers of namespaces involved in mig= ration of a >>> container to another kernel? (I had a brief look at CRIU.) Is the= re a unique >>> identifier for each running instance of a kernel? Or at least some= identifier >>> within the container migration realm? >> >> Eric Biederman has always been adamantly opposed to adding new names= paces >> of namespaces, so the fact that you're asking this question concerns= me. > > I have seen that position and I don't fully understand the justificat= ion > for it other than added complexity. Just FYI, have you seen this thread: http://thread.gmane.org/gmane.linux.network/286572/ There is some explanations/examples about this topic. Regards, Nicolas