Re: [PATCH ghak90 V7 14/21] audit: contid check descendancy and nesting

On 2019-10-10 20:40, Paul Moore wrote: > On Wed, Sep 18, 2019 at 9:26 PM Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > > ?fixup! audit: convert to contid list to check for orch/engine ownership > > ? > > > Require the target task to be a descendant of the container > > orchestrator/engine. > > > > You would only change the audit container ID from one set or inherited > > value to another if you were nesting containers. > > > > If changing the contid, the container orchestrator/engine must be a > > descendant and not same orchestrator as the one that set it so it is not > > possible to change the contid of another orchestrator's container. > > Did you mean to say that the container orchestrator must be an > ancestor of the target, and the same orchestrator as the one that set > the target process' audit container ID? Not quite, the first half yes, but the second half: if it was already set by that orchestrator, it can't be set again. If it is a different orchestrator that is a descendant of the orchestrator that set it, then allow the action. > Or maybe I'm missing something about what you are trying to do? Does that help clarify it?