[PATCH RFC 7/8] audit: report namespace information along with USER events
Aristeu Rozanski
arozansk at redhat.com
Tue Mar 19 12:08:05 UTC 2013
On Mon, Mar 18, 2013 at 02:44:33PM -0700, Eric W. Biederman wrote:
> Aristeu Rozanski <arozansk at redhat.com> writes:
>
> > For userspace generated events, include a record with the namespace
> > procfs inode numbers the process belongs to. This allows to track down
> > and filter audit messages by userspace.
>
> I am not comfortable with using the inode numbers this way. It does not
> pass the test of can I migrate a container and still have this work
> test. Any kind of kernel assigned name for namespaces fails that test.
>
> I also don't like that you don't include the procfs device number. An
> inode number means nothing without knowing which filesystem you are
> referring to.
>
> It may never happen but I reserve the right to have the inode numbers
> for namespaces to show up differently in different instances of procfs.
well, in this case the whole idea is invalid. there's no way to reliably
identify which namespaces a process belongs to for logging purposes.
> Beyond that I think this usage is possibly buggy by using two audit
> records for one event.
this is valid, the records are related and they show up with the same
timestamp.
--
Aristeu
More information about the Linux-audit
mailing list