Re: [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process

On 2018-05-21 16:06, Paul Moore wrote: > On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman <ebiederm(a)xmission.com&gt; wrote: > > Steve Grubb <sgrubb(a)redhat.com&gt; writes: > >> On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote: > >>> Add support for reading the container ID from the proc filesystem. > >> > >> I think this could be useful in general. Please consider this to be part of > >> the full patch set and not something merely used to debug the patches. > > > > Only with an audit specific name. > > > > As it is: > > > > Nacked-by: "Eric W. Biederman" <ebiederm(a)xmission.com&gt; > > > > The truth is the containerid name really stinks and is quite confusing > > and does not imply that the label applies only to audit. And little > > things like this make me extremely uncofortable with it. > > It also makes the audit container ID (notice how I *always* call it > the *audit* container ID? that is not an accident) available for > userspace applications to abuse. Perhaps in the future we can look at > ways to make this more available to applications, but this patch is > not the answer. Do you have a productive suggestion?