Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

[RFC PATCH ghak32 V2 00/13] audit: implement container id · Richard Guy Briggs <hidden> · 2018-03-16
[RFC PATCH ghak32 V2 02/13] audit: check children and threading before allowing containerid · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 02/13] audit: check children and threading before allowing containerid · Paul Moore <paul@paul-moore.com> · 2018-04-19
[RFC PATCH ghak32 V2 04/13] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 04/13] audit: add containerid filtering · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 04/13] audit: add containerid filtering · Richard Guy Briggs <hidden> · 2018-04-19
[RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 05/13] audit: add containerid support for ptrace and signals · Paul Moore <paul@paul-moore.com> · 2018-04-20
[RFC PATCH ghak32 V2 08/13] audit: add containerid support for tty_audit · Richard Guy Briggs <hidden> · 2018-03-16
[RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records · Richard Guy Briggs <hidden> · 2018-04-19
Re: [RFC PATCH ghak32 V2 09/13] audit: add containerid support for config/feature/user records · Paul Moore <paul@paul-moore.com> · 2018-04-19
[RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS · Richard Guy Briggs <hidden> · 2018-04-19
Re: [RFC PATCH ghak32 V2 12/13] audit: NETFILTER_PKT: record each container ID associated with a netNS · Paul Moore <paul@paul-moore.com> · 2018-04-19
[RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Jonathan Corbet <corbet@lwn.net> · 2018-03-28
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-03-29
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Jonathan Corbet <corbet@lwn.net> · 2018-03-29
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-03-30
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-18
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Casey Schaufler <casey@schaufler-ca.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Casey Schaufler <casey@schaufler-ca.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-04-21
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-23
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-04-24
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-24
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-04-25
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Paul Moore <paul@paul-moore.com> · 2018-04-26
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-05-06
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Steve Grubb <hidden> · 2018-05-17
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-05-17
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Steve Grubb <hidden> · 2018-05-18
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-05-18
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Steve Grubb <hidden> · 2018-05-18
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-06-01
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Steve Grubb <hidden> · 2018-06-04
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-06-04
Re: [RFC PATCH ghak32 V2 01/13] audit: add container id · Richard Guy Briggs <hidden> · 2018-06-04
[RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls · Steve Grubb <hidden> · 2018-05-17
Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls · Richard Guy Briggs <hidden> · 2018-05-17
Re: [RFC PATCH ghak32 V2 03/13] audit: log container info of syscalls · Steve Grubb <hidden> · 2018-05-21
[RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 06/13] audit: add support for non-syscall auxiliary records · Paul Moore <paul@paul-moore.com> · 2018-04-20
[RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 07/13] audit: add container aux record to watch/tree/mark · Richard Guy Briggs <hidden> · 2018-04-19
[RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 10/13] audit: add containerid support for seccomp and anom_abend records · Paul Moore <paul@paul-moore.com> · 2018-04-20
[RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2018-04-19
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2018-04-20
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Richard Guy Briggs <hidden> · 2018-04-20
Re: [RFC PATCH ghak32 V2 11/13] audit: add support for containerid to network namespaces · Paul Moore <paul@paul-moore.com> · 2018-04-21
[RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process · Richard Guy Briggs <hidden> · 2018-03-16
Re: [RFC PATCH ghak32 V2 13/13] debug audit: read container ID of a process · Steve Grubb <hidden> · 2018-05-21
Re: [RFC PATCH ghak32 V2 00/13] audit: implement container id · Steve Grubb <hidden> · 2018-05-30
Re: [RFC PATCH ghak32 V2 00/13] audit: implement container id · Richard Guy Briggs <hidden> · 2018-05-30

From: Jonathan Corbet <corbet@lwn.net>
Date: 2018-03-28 18:39:12
Also in: cgroups, linux-fsdevel, lkml, netdev

On Fri, 16 Mar 2018 05:00:28 -0400
Richard Guy Briggs [off-list ref] wrote:

Implement the proc fs write to set the audit container ID of a process,
emitting an AUDIT_CONTAINER record to document the event.

A little detail, but still...

+static int audit_set_containerid_perm(struct task_struct *task, u64 containerid)
+{
+	struct task_struct *parent;
+	u64 pcontainerid, ccontainerid;
+
+	/* Don't allow to set our own containerid */
+	if (current == task)
+		return -EPERM;
+	/* Don't allow the containerid to be unset */
+	if (!cid_valid(containerid))
+		return -EINVAL;

I went looking for cid_valid(), but it turns out you don't add it until
patch 5.  That, I expect, will not be good for bisectability (or patch
review).

Thanks,

jon

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help