On Mon, Mar 18, 2013 at 02:44:33PM -0700, Eric W. Biederman wrote: > Aristeu Rozanski <[email protected]> writes: > > > For userspace generated events, include a record with the namespace > > procfs inode numbers the process belongs to. This allows to track down > > and filter audit messages by userspace. > > I am not comfortable with using the inode numbers this way. It does not > pass the test of can I migrate a container and still have this work > test. Any kind of kernel assigned name for namespaces fails that test. > > I also don't like that you don't include the procfs device number. An > inode number means nothing without knowing which filesystem you are > referring to. > > It may never happen but I reserve the right to have the inode numbers > for namespaces to show up differently in different instances of procfs.
well, in this case the whole idea is invalid. there's no way to reliably identify which namespaces a process belongs to for logging purposes. > Beyond that I think this usage is possibly buggy by using two audit > records for one event. this is valid, the records are related and they show up with the same timestamp. -- Aristeu -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
