Re: [PATCH ghak90 V6 02/10] audit: add container id

On 2019-05-29 11:29, Paul Moore wrote:

> The idea is that only container orchestrators should be able to > set/modify the audit container ID, and since setting the audit > container ID can have a significant effect on the records captured > (and their routing to multiple daemons when we get there) modifying > the audit container ID is akin to modifying the audit configuration > which is why it is gated by CAP_AUDIT_CONTROL. The current thinking > is that you would only change the audit container ID from one > set/inherited value to another if you were nesting containers, in > which case the nested container orchestrator would need to be granted > CAP_AUDIT_CONTROL (which everyone to date seems to agree is a workable > compromise). We did consider allowing for a chain of nested audit > container IDs, but the implications of doing so are significant > (implementation mess, runtime cost, etc.) so we are leaving that out > of this effort. We had previously discussed the idea of restricting orchestrators/engines from only being able to set the audit container identifier on their own descendants, but it was discarded. I've added a check to ensure this is now enforced.

I've also added a check to ensure that a process can't set its own audit container identifier ...

... and that if the identifier is already set, then the orchestrator/engine must be in a descendant user namespace from the orchestrator that set the previously inherited audit container identifier.