Re: [PATCH ghak90 V9 11/13] audit: contid check descendancy and nesting
On Fri, Aug 7, 2020 at 1:10 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2020-07-05 11:11, Paul Moore wrote:
> On Sat, Jun 27, 2020 at 9:23 AM Richard Guy Briggs <rgb(a)redhat.com> wrote:
> > Require the target task to be a descendant of the container
> > orchestrator/engine.
If you want to get formal about this, you need to define "target" in
the sentence above. Target of what?
FWIW, I read the above to basically mean that a task can only set the
audit container ID of processes which are beneath it in the "process
tree" where the "process tree" is defined as the relationship between
a parent and children processes such that the children processes are
branches below the parent process.
I have no problem with that, with the understanding that nesting
complicates it somewhat. For example, this isn't true when one of the
children is a nested orchestrator, is it?
> > You would only change the audit container ID from one set
or inherited
> > value to another if you were nesting containers.
I thought we decided we were going to allow an orchestrator to move a
process between audit container IDs, yes? no?
> > If changing the contid, the container orchestrator/engine
must be a
> > descendant and not same orchestrator as the one that set it so it is not
> > possible to change the contid of another orchestrator's container.
Try rephrasing the above please, it isn't clear to me what you are
trying to say.
Are we able to agree on the premises above? Is anything asserted
that
should not be and is there anything missing?
See above.
If you want to go back to the definitions/assumptions stage, it
probably isn't worth worrying about the other comments until we get
the above sorted.
--
paul moore
www.paul-moore.com