[PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules
Steve Grubb
sgrubb at redhat.com
Mon Dec 15 21:14:56 UTC 2014
On Monday, December 15, 2014 02:03:05 PM Paul Moore wrote:
> > Lets say I and in the non-init pid namespace.
> >
> > I run audictl -a exit,always -S all -F pid=1
> >
> > Is the audit system going to show records for what I think is pid=1 or
> > what the initial pid namespace thinks is pid=1 ?
>
> The initial namespace. If we want the executing task's current namespace
> we should probably change audit_filter_user_rules().
>
> > Which is correct? (hint, it's impossible to know pids above my
> > namespace, or even to know what pid the process in question thinks it
> > is, since it could be below my namespace)
>
> Heh. I'm sorry, I tend to laugh when I hear the term "correct" during an
> audit discussion
>
> Steve, Richard, Eric - what do you guys want: initial or current namespace?
To be clear, this pid name space is normally used in conjunction with
containers. We don't want any events from within a container unless we also
have an audit name space. Everything inside the container is potentially
operating out side the security policy of the system.
So, I'd be fine with them being on the init namespace since we have a lot more
work to do for containers. The autrace use case is likely to be the only user
of pid in the audit rules because its useless for nearly anything else. The
audit by process name feature is what most people will use as soon as its
upstreamed.
Thanks,
-Steve
More information about the Linux-audit
mailing list