Re: [RFC Part1 PATCH 00/20 v2] Add namespace support for audit

Here is the v1 patchset: http://lwn.net/Articles/549546/ The main target of this patchset is allowing user in audit namespace to generate the USER_MSG type of audit message, some userspace tools need to generate audit message, or these tools will broken. And the login process in container may want to setup /proc/<pid>/loginuid, right now this value is unalterable once it being set. this will also broke the login problem in container. After this patchset, we can reset this loginuid to zero if task is running in a new audit namespace. Same with v1 patchset, in this patchset, only the privileged user in init_audit_ns and init_user_ns has rights to add/del audit rules. and these rules are gloabl. all audit namespace will comply with the rules. Compared with v1, v2 patch has some big changes. 1, the audit namespace is not assigned to user namespace. since there is no available bit of flags for clone, we create audit namespace through netlink, patch[18/20] introduces a new audit netlink type AUDIT_CREATE_NS. the privileged user in userns has rights to create a audit namespace, it means the unprivileged user can create auditns through create userns first. In order to prevent them from doing harm to host, the default audit_backlog_limit of un-init-audit-ns is zero(means audit is unavailable in audit namespace). and it can't be changed in auditns through netlink.