Re: RFC(v2): Audit Kernel Container IDs

From: James Bottomley
Date: Tue Oct 17 2017 - 13:57:53 EST

Next message: Joshua Kinard: "[PATCH] net/ethernet/sgi: Code cleanup"
Previous message: Sean Paul: "Re: [RFC PATCH v4 2/8] drm/rockchip: analogix_dp: Fix error handling path"
In reply to: Steve Grubb: "Re: RFC(v2): Audit Kernel Container IDs"
Next in thread: Steve Grubb: "Re: RFC(v2): Audit Kernel Container IDs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2017-10-17 at 13:15 -0400, Steve Grubb wrote:
> On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote:
> >
> > >
> > > The idea is that processes spawned into a container would be
> > > labelled by the container orchestration system.ÂÂIt's unclear
> > > what should happen to processes using nsenter after the fact, but
> > > policy for that should be up to the orchestration system.
> >
> > I'm fine with that. The user space policy can be anything y'all
> > like.
>
> I think there should be a login event.

I thought you wanted this for containers? ÂContainer creation doesn't
have login events. ÂIn an unprivileged orchestration system it may be
hard to synthetically manufacture them.

James

Next message: Joshua Kinard: "[PATCH] net/ethernet/sgi: Code cleanup"
Previous message: Sean Paul: "Re: [RFC PATCH v4 2/8] drm/rockchip: analogix_dp: Fix error handling path"
In reply to: Steve Grubb: "Re: RFC(v2): Audit Kernel Container IDs"
Next in thread: Steve Grubb: "Re: RFC(v2): Audit Kernel Container IDs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]