[PATCH RFC] audit: provide namespace information in user originated records
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Mar 20 15:12:55 UTC 2013
Quoting Eric W. Biederman (ebiederm at xmission.com):
> Aristeu Rozanski <arozansk at redhat.com> writes:
> The reasons were simply that to my knowledge no one has thought through
> how audit records and namespaces make sense to interact.
It seems clear to me (perhaps wrongly :) that:
1. auditd is a host service only.
2. in cases where the namespace is hierarchical and resources have
identifiers in the init namespace (i.e. pid and user ns), audit
should simply, always, report the id in the init ns
3. in cases where namespaces are not hierarchical (ipc, netns)
the (ns_id, resource_id) need to be dumped. The ns_id should
be the inode # for the /proc/$$/ns/$namespace, since that is
what is used for setns.
Syslog I want eventually to be namespaced. Audit, not.
Audit is (ISTM) about LSPP and such - things which we can't talk
about in containers anyway.
-serge
More information about the Linux-audit
mailing list