On Thursday, May 14, 2015 08:48:55 PM Richard Guy Briggs wrote: > On 15/05/14, Steve Grubb wrote: > > What they would want to know is what resources were assigned; if two > > containers shared a resource, what resource and container was it shared > > with; if two containers can communicate, we need to see or control > > information flow when necessary; and we need to see termination and > > release of resources. > > So, namespaces are a big part of this. I understand how they are > spawned and potentially shared. I have a more vague idea about how > cgroups contribute to this concept of a container. So far, I have very > little idea how seccomp contributes, but I assume that it will also need > to be part of this tracking.
It doesn't, really. We shouldn't worry about seccomp from a namespace/container auditing perspective. The normal seccomp auditing should be sufficient for namespaces/containers. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
