Re: [PATCH RFC 7/8] audit: report namespace information along with USER events
On Mon, Mar 18, 2013 at 02:44:33PM -0700, Eric W. Biederman wrote:
Aristeu Rozanski <arozansk(a)redhat.com> writes:
> For userspace generated events, include a record with the namespace
> procfs inode numbers the process belongs to. This allows to track down
> and filter audit messages by userspace.
I am not comfortable with using the inode numbers this way. It does not
pass the test of can I migrate a container and still have this work
test. Any kind of kernel assigned name for namespaces fails that test.
I also don't like that you don't include the procfs device number. An
inode number means nothing without knowing which filesystem you are
referring to.
It may never happen but I reserve the right to have the inode numbers
for namespaces to show up differently in different instances of procfs.
well, in this case the whole idea is invalid. there's no way to reliably
identify which namespaces a process belongs to for logging purposes.
Beyond that I think this usage is possibly buggy by using two audit
records for one event.
this is valid, the records are related and they show up with the same
timestamp.
--
Aristeu