[PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules
Eric Paris
eparis at redhat.com
Mon Dec 15 21:24:48 UTC 2014
On Mon, 2014-12-15 at 16:14 -0500, Steve Grubb wrote:
> We don't want any events from within a container unless we also
> have an audit name space. Everything inside the container is potentially
> operating out side the security policy of the system.
I am not arguing with any of the substance/meaning of what you intend in
any way.
However, every time someone uses the word 'container' they are severely
mis-characterizing the problem space. There are no containers. It's even
worse to say 'container' than it is to say 'the path.' Containers are a
userspace construct made out of numerous disjoint kernel primitives
(mainly the numerous namespaces). The kernel does not, can not, and will
not every know about a 'container.'
This MUST be a key concept when we think about how to make audit work in
a world where people want to use kernel namespaces.
More information about the Linux-audit
mailing list