Re: [PATCH ghak90 V7 20/21] audit: add capcontid to set contid outside init_user_ns
On Thu, Oct 24, 2019 at 5:00 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
Here's the note I had from that meeting:
- Eric raised the issue that using /proc is likely to get more and more
hoary due to mount namespaces and suggested that we use a netlink
audit message (or a new syscall) to set the audit container identifier
and since the loginuid is a similar type of operation, that it should be
migrated over to a similar mechanism to get it away from /proc. Get
could be done with a netlink audit message that triggers an audit log
message to deliver the information. I'm reluctant to further pollute
the syscall space if we can find another method. The netlink audit
message makes sense since any audit-enabled service is likely to already
have an audit socket open.
Thanks for the background info on the off-list meeting. I would
encourage you to have discussions like this on-list in the future; if
that isn't possible, hosting a public call would okay-ish, but a
distant second.
At this point in time I'm not overly concerned about /proc completely
going away in namespaces/containers that are full featured enough to
host a container orchestrator. If/when reliance on procfs becomes an
issue, we can look at alternate APIs, but given the importance of
/proc to userspace (including to audit) I suspect we are going to see
it persist for some time. I would prefer to see you to drop the audit
container ID netlink API portions of this patchset and focus on the
procfs API.
Also, for the record, removing the audit loginuid from procfs is not
something to take lightly, if at all; like it or not, it's part of the
kernel API.
--
paul moore
www.paul-moore.com