Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > Implement the proc fs write to set the audit container ID of a process, > emitting an AUDIT_CONTAINER record to document the event. > ... > > diff --git a/include/linux/sched.h b/include/linux/sched.h > index d258826..1b82191 100644 > --- a/include/linux/sched.h > +++ b/include/linux/sched.h > @@ -796,6 +796,7 @@ struct task_struct { > #ifdef CONFIG_AUDITSYSCALL > kuid_t loginuid; > unsigned int sessionid; > + u64 containerid; This one line addition to the task_struct scares me the most of anything in this patchset. Why? It's a field named "containerid" in a perhaps one of the most widely used core kernel structures; the possibilities for abuse are endless, and it's foolish to think we would ever be able to adequately police this.