[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQ7hFc8EqrEojmjQriWtKkqjPyzWrnrc_eVKjcYhhV8QQ@mail.gmail.com>
Date: Fri, 13 Mar 2020 12:49:18 -0400
From: Paul Moore <paul@...l-moore.com>
To: Steve Grubb <sgrubb@...hat.com>
Cc: Richard Guy Briggs <rgb@...hat.com>, linux-audit@...hat.com,
nhorman@...driver.com, linux-api@...r.kernel.org,
containers@...ts.linux-foundation.org,
LKML <linux-kernel@...r.kernel.org>, dhowells@...hat.com,
netfilter-devel@...r.kernel.org, ebiederm@...ssion.com,
simo@...hat.com, netdev@...r.kernel.org,
linux-fsdevel@...r.kernel.org, Eric Paris <eparis@...isplace.org>,
mpatel@...hat.com, Serge Hallyn <serge@...lyn.com>
Subject: Re: [PATCH ghak90 V8 07/16] audit: add contid support for signalling
the audit daemon
On Fri, Mar 13, 2020 at 12:45 PM Steve Grubb <sgrubb@...hat.com> wrote:
> On Friday, March 13, 2020 12:42:15 PM EDT Paul Moore wrote:
> > > I think more and more, that more complete isolation is being done,
> > > taking advantage of each type of namespace as they become available, but
> > > I know a nuber of them didn't find it important yet to use IPC, PID or
> > > user namespaces which would be the only namespaces I can think of that
> > > would provide that isolation.
> > >
> > > It isn't entirely clear to me which side you fall on this issue, Paul.
> >
> > That's mostly because I was hoping for some clarification in the
> > discussion, especially the relevant certification requirements, but it
> > looks like there is still plenty of room for interpretation there (as
> > usual). I'd much rather us arrive at decisions based on requirements
> > and not gut feelings, which is where I think we are at right now.
>
> Certification rquirements are that we need the identity of anyone attempting
> to modify the audit configuration including shutting it down.
Yep, got it. Unfortunately that doesn't really help with what we are
talking about. Although preventing the reuse of the ACID before the
SIGNAL2 record does help preserve the sanity of the audit stream which
I believe to be very important, regardless.
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists