On Wed, Sep 18, 2019 at 9:27 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
Track the parent container of a container to be able to filter and
report nesting.
Now that we have a way to track and check the parent container of a
container, fixup other patches, or squash all nesting fixes together.
fixup! audit: add container id
fixup! audit: log drop of contid on exit of last task
fixup! audit: log container info of syscalls
fixup! audit: add containerid filtering
fixup! audit: NETFILTER_PKT: record each container ID associated with a netNS
fixup! audit: convert to contid list to check for orch/engine ownership softirq (for
netfilter) audit: protect contid list lock from softirq
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 1 +
kernel/audit.c | 67 ++++++++++++++++++++++++++++++++++++++++++---------
kernel/audit.h | 3 +++
kernel/auditfilter.c | 20 ++++++++++++++-
kernel/auditsc.c | 2 +-
5 files changed, 79 insertions(+), 14 deletions(-)
This is my last comment of the patchset because this is where it
starts to get a little weird. I know we've talked about fixup!
patches some in the past, but perhaps I didn't do a very good job
communicating my poin; let me try again.
Submitting a fixup patch is okay if you've already posted a (lengthy)
patchset and there was a small nit that someone uncovered that needed
to be fixed prior to merging, assuming everyone (this includes the
reviewer, the patch author, and the maintainer) is okay with the
author posting the fix as fixup! patch then go for it. Done this way,
fixup patches can save a lot of development, testing, and review time.
However, in my opinion it is wrong to submit a patchset that has fixup
patches as part of the original posting. In this case fixup patches
have the opposite effect: the patchset becomes more complicated,
reviews take longer, and the likelihood of missing important details
increases.
When in doubt, don't submit separate fixup patches, fold them into the
original patches instead.
--
paul moore
www.paul-moore.com