[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules



On Mon, 2014-12-15 at 16:14 -0500, Steve Grubb wrote:
> We don't want any events from within a container unless we also 
> have an audit name space. Everything inside the container is potentially 
> operating out side the security policy of the system.

I am not arguing with any of the substance/meaning of what you intend in
any way.

However, every time someone uses the word 'container' they are severely
mis-characterizing the problem space. There are no containers. It's even
worse to say 'container' than it is to say 'the path.' Containers are a
userspace construct made out of numerous disjoint kernel primitives
(mainly the numerous namespaces). The kernel does not, can not, and will
not every know about a 'container.'

This MUST be a key concept when we think about how to make audit work in
a world where people want to use kernel namespaces.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]