[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules

On Monday, December 15, 2014 02:03:05 PM Paul Moore wrote:
> > Lets say I and in the non-init pid namespace.
> >
> > I run audictl -a exit,always -S all -F pid=1
> >
> > Is the audit system going to show records for what I think is pid=1 or
> > what the initial pid namespace thinks is pid=1 ?
> The initial namespace.  If we want the executing task's current namespace
> we  should probably change audit_filter_user_rules().
> > Which is correct? (hint, it's impossible to know pids above my
> > namespace, or even to know what pid the process in question thinks it
> > is, since it could be below my namespace)
> Heh.  I'm sorry, I tend to laugh when I hear the term "correct" during an 
> audit discussion
> Steve, Richard, Eric - what do you guys want: initial or current namespace?

To be clear, this pid name space is normally used in conjunction with 
containers. We don't want any events from within a container unless we also 
have an audit name space. Everything inside the container is potentially 
operating out side the security policy of the system.

So, I'd be fine with them being on the init namespace since we have a lot more 
work to do for containers. The autrace use case is likely to be the only user 
of pid in the audit rules because its useless for nearly anything else. The 
audit by process name feature is what most people will use as soon as its 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]