Re: RFC(v2): Audit Kernel Container IDs

From: James Bottomley
Date: Tue Oct 17 2017 - 13:57:53 EST


On Tue, 2017-10-17 at 13:15 -0400, Steve Grubb wrote:
> On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote:
> >
> > >
> > > The idea is that processes spawned into a container would be
> > > labelled by the container orchestration system.ÂÂIt's unclear
> > > what should happen to processes using nsenter after the fact, but
> > > policy for that should be up to the orchestration system.
> >
> > I'm fine with that. The user space policy can be anything y'all
> > like.
>
> I think there should be a login event.

I thought you wanted this for containers? ÂContainer creation doesn't
have login events. ÂIn an unprivileged orchestration system it may be
hard to synthetically manufacture them.

James