Re: [PATCH ghak90 V9 12/13] audit: track container nesting
On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs <rgb(a)redhat.com> wrote:
Track the parent container of a container to be able to filter and
report nesting.
Now that we have a way to track and check the parent container of a
container, modify the contid field format to be able to report that
nesting using a carrat ("^") modifier to indicate nesting. The
original field format was "contid=<contid>" for task-associated records
and "contid=<contid>[,<contid>[...]]" for
network-namespace-associated
records. The new field format is
"contid=<contid>[,^<contid>[...]][,<contid>[...]]".
I feel like this is a case which could really benefit from an example
in the commit description showing multiple levels of nesting, with
some leaf audit container IDs at each level. This way we have a
canonical example for people who want to understand how to parse the
list and properly sort out the inheritance.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 1 +
kernel/audit.c | 60 ++++++++++++++++++++++++++++++++++++++++++---------
kernel/audit.h | 2 ++
kernel/auditfilter.c | 17 ++++++++++++++-
kernel/auditsc.c | 2 +-
5 files changed, 70 insertions(+), 12 deletions(-)
--
paul moore
www.paul-moore.com