On Tue, May 22, 2018 at 1:35 PM, Richard Guy Briggs [off-list ref] wrote:

On 2018-05-21 16:06, Paul Moore wrote:

quoted

On Mon, May 21, 2018 at 3:19 PM, Eric W. Biederman [off-list ref] wrote:

quoted

Steve Grubb [off-list ref] writes:

quoted

On Friday, March 16, 2018 5:00:40 AM EDT Richard Guy Briggs wrote:

quoted

Add support for reading the container ID from the proc filesystem.

I think this could be useful in general. Please consider this to be part of
the full patch set and not something merely used to debug the patches.

Only with an audit specific name.

As it is:

Nacked-by: "Eric W. Biederman" [off-list ref]

The truth is the containerid name really stinks and is quite confusing
and does not imply that the label applies only to audit.  And little
things like this make me extremely uncofortable with it.

It also makes the audit container ID (notice how I *always* call it
the *audit* container ID? that is not an accident) available for
userspace applications to abuse.  Perhaps in the future we can look at
ways to make this more available to applications, but this patch is
not the answer.

Do you have a productive suggestion?

I haven't given it much thought beyond our discussions and until we
get the basic audit container ID support in place (all the other parts
of this patchset) I doubt I'll be giving it much thought.

-- 
paul moore
www.paul-moore.com