| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Oct 2017 10:57:43 -0700
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Steve Grubb <sgrubb@...hat.com>,
Casey Schaufler <casey@...aufler-ca.com>
Cc: mszeredi@...hat.com, David Howells <dhowells@...hat.com>,
Andy Lutomirski <luto@...nel.org>, jlayton@...hat.com,
Carlos O'Donell <carlos@...hat.com>,
Linux API <linux-api@...r.kernel.org>,
Linux Containers <containers@...ts.linux-foundation.org>,
Linux Kernel <linux-kernel@...r.kernel.org>,
Eric Paris <eparis@...isplace.org>, linux-audit@...hat.com,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Simo Sorce <simo@...hat.com>, cgroups@...r.kernel.org,
Linux FS Devel <linux-fsdevel@...r.kernel.org>,
trondmy@...marydata.com,
Linux Network Development <netdev@...r.kernel.org>,
Al Viro <viro@...iv.linux.org.uk>
Subject: Re: RFC(v2): Audit Kernel Container IDs
On Tue, 2017-10-17 at 13:15 -0400, Steve Grubb wrote:
> On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote:
> >
> > >
> > > The idea is that processes spawned into a container would be
> > > labelled by the container orchestration system. It's unclear
> > > what should happen to processes using nsenter after the fact, but
> > > policy for that should be up to the orchestration system.
> >
> > I'm fine with that. The user space policy can be anything y'all
> > like.
>
> I think there should be a login event.
I thought you wanted this for containers? Container creation doesn't
have login events. In an unprivileged orchestration system it may be
hard to synthetically manufacture them.
James
Powered by blists - more mailing lists