On Wed, Sep 18, 2019 at 9:26 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
Add the ability to get and set the audit container identifier using
an
audit netlink message using message types AUDIT_SET_CONTID 1023 and
AUDIT_GET_CONTID 1022 in addition to using the proc filesystem. The
message format includes the data structure:
struct audit_contid_status {
pid_t pid;
u64 id;
};
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/uapi/linux/audit.h | 2 ++
kernel/audit.c | 40 ++++++++++++++++++++++++++++++++++++++++
kernel/audit.h | 5 +++++
3 files changed, 47 insertions(+)
I'm not a fan of having multiple interfaces to do one thing if it can
be avoided. Presumably the argument for the netlink API is the
container folks don't want to have to mount /proc inside containers
which are going to host nested orchestrators? Can you reasonably run
a fully fledged orchestrator without a valid /proc?
--
paul moore
www.paul-moore.com