lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 15 May 2015 17:05:24 -0400
From:	Paul Moore <pmoore@...hat.com>
To:	Andy Lutomirski <luto@...capital.net>
Cc:	Richard Guy Briggs <rgb@...hat.com>,
	Steve Grubb <sgrubb@...hat.com>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	linux-audit@...hat.com, Eric Paris <eparis@...isplace.org>,
	arozansk@...hat.com, "Serge E. Hallyn" <serge@...lyn.com>,
	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	Al Viro <viro@...iv.linux.org.uk>,
	Linux FS Devel <linux-fsdevel@...r.kernel.org>,
	Linux API <linux-api@...r.kernel.org>,
	Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances

On Thursday, May 14, 2015 11:23:09 PM Andy Lutomirski wrote:
> On Thu, May 14, 2015 at 7:32 PM, Richard Guy Briggs <rgb@...hat.com> wrote:
> > On 15/05/14, Paul Moore wrote:
> >> * Look at our existing audit records to determine which records should
> >> have
> >> namespace and container ID tokens added.  We may only want to add the
> >> additional fields in the case where the namespace/container ID tokens are
> >> not the init namespace.
> > 
> > If we have a record that ties a set of namespace IDs with a container
> > ID, then I expect we only need to list the containerID along with auid
> > and sessionID.
> 
> The problem here is that the kernel has no concept of a "container", and I
> don't think it makes any sense to add one just for audit.  "Container" is a
> marketing term used by some userspace tools.
> 
> I can imagine that both audit could benefit from a concept of a
> namespace *path* that understands nesting (e.g. root/2/5/1 or
> something along those lines).  Mapping these to "containers" belongs
> in userspace, I think.

It might be helpful to climb up a few levels in this thread ...

I think we all agree that containers are not a kernel construct.  I further 
believe that the kernel has no business generating container IDs, those should 
come from userspace and will likely be different depending on how you define 
"container".  However, what is less clear to me at this point is how the 
kernel should handle the setting, reporting, and general management of this 
container ID token.

-- 
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ