Re: [PATCH] capabilities: audit capability use

On 07/12/16 13:16, Eric W. Biederman wrote: > Topi Miettinen writes: > >> On 07/11/16 21:57, Eric W. Biederman wrote: >>> Topi Miettinen writes: >>> There are many basic ways to control processes, including capabilities, cgroups and resource

Re: [PATCH] capabilities: audit capability use

On 07/12/16 13:16, Eric W. Biederman wrote: > Topi Miettinen writes: > >> On 07/11/16 21:57, Eric W. Biederman wrote: >>> Topi Miettinen writes: >>> There are many basic ways to control processes, including capabilities, cgroups and resource limits. However, there are far fewer ways

Re: [PATCH] capabilities: audit capability use

On 07/12/16 14:59, Tejun Heo wrote: > On Mon, Jul 11, 2016 at 07:47:44PM +, Topi Miettinen wrote: >> It's really critical to be able to associate a task in the logs to >> cgroups which were valid that time. Or can we infer somehow what cgroups > > When is "that time"? Without logging all

Re: [PATCH] capabilities: audit capability use

On 07/12/16 14:59, Tejun Heo wrote: > On Mon, Jul 11, 2016 at 07:47:44PM +, Topi Miettinen wrote: >> It's really critical to be able to associate a task in the logs to >> cgroups which were valid that time. Or can we infer somehow what cgroups > > When is "that time"? Without logging all

Re: [PATCH] capabilities: audit capability use

On Tue, Jul 12, 2016 at 9:16 AM, Eric W. Biederman wrote: > Not logging capabilities outside of the initial user namespace is > certainly the conservative place to start, and what selinux does. FYI, we added some basic userns capability smarts to SELinux in Linux 4.7.

Re: [PATCH] capabilities: audit capability use

On Tue, Jul 12, 2016 at 9:16 AM, Eric W. Biederman wrote: > Not logging capabilities outside of the initial user namespace is > certainly the conservative place to start, and what selinux does. FYI, we added some basic userns capability smarts to SELinux in Linux 4.7. commit

Re: [PATCH] capabilities: audit capability use

On Mon, Jul 11, 2016 at 7:14 AM, Topi Miettinen wrote: > There are many basic ways to control processes, including capabilities, > cgroups and resource limits. However, there are far fewer ways to find > out useful values for the limits, except blind trial and error. > >

Re: [PATCH] capabilities: audit capability use

On Mon, Jul 11, 2016 at 7:14 AM, Topi Miettinen wrote: > There are many basic ways to control processes, including capabilities, > cgroups and resource limits. However, there are far fewer ways to find > out useful values for the limits, except blind trial and error. > > Currently, there is no

Re: [PATCH] capabilities: audit capability use

On Mon, Jul 11, 2016 at 07:47:44PM +, Topi Miettinen wrote: > It's really critical to be able to associate a task in the logs to > cgroups which were valid that time. Or can we infer somehow what cgroups When is "that time"? Without logging all operations, this is meaningless. > a task was

Re: [PATCH] capabilities: audit capability use

On Mon, Jul 11, 2016 at 07:47:44PM +, Topi Miettinen wrote: > It's really critical to be able to associate a task in the logs to > cgroups which were valid that time. Or can we infer somehow what cgroups When is "that time"? Without logging all operations, this is meaningless. > a task was

Re: [PATCH] capabilities: audit capability use

Topi Miettinen writes: > On 07/11/16 21:57, Eric W. Biederman wrote: >> Topi Miettinen writes: >> >>> There are many basic ways to control processes, including capabilities, >>> cgroups and resource limits. However, there are far fewer ways to find >>>

Re: [PATCH] capabilities: audit capability use

Topi Miettinen writes: > On 07/11/16 21:57, Eric W. Biederman wrote: >> Topi Miettinen writes: >> >>> There are many basic ways to control processes, including capabilities, >>> cgroups and resource limits. However, there are far fewer ways to find >>> out useful values for the limits, except

Re: [PATCH] capabilities: audit capability use

On 07/11/16 21:57, Eric W. Biederman wrote: > Topi Miettinen writes: > >> There are many basic ways to control processes, including capabilities, >> cgroups and resource limits. However, there are far fewer ways to find >> out useful values for the limits, except blind trial

Re: [PATCH] capabilities: audit capability use

On 07/11/16 21:57, Eric W. Biederman wrote: > Topi Miettinen writes: > >> There are many basic ways to control processes, including capabilities, >> cgroups and resource limits. However, there are far fewer ways to find >> out useful values for the limits, except blind trial and error. >> >>

Re: [PATCH] capabilities: audit capability use

Topi Miettinen writes: > There are many basic ways to control processes, including capabilities, > cgroups and resource limits. However, there are far fewer ways to find > out useful values for the limits, except blind trial and error. > > Currently, there is no way to know

Re: [PATCH] capabilities: audit capability use

Topi Miettinen writes: > There are many basic ways to control processes, including capabilities, > cgroups and resource limits. However, there are far fewer ways to find > out useful values for the limits, except blind trial and error. > > Currently, there is no way to know which capabilities

Re: [PATCH] capabilities: audit capability use

On 07/11/16 17:09, Tejun Heo wrote: > Hello, > > On Mon, Jul 11, 2016 at 02:14:31PM +0300, Topi Miettinen wrote: >> [ 28.443674] audit: type=1327 audit(1468234333.144:520): >> proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032 >> [ 28.465888] audit: type=1330 audit(1468234333.144:520):

Re: [PATCH] capabilities: audit capability use

On 07/11/16 17:09, Tejun Heo wrote: > Hello, > > On Mon, Jul 11, 2016 at 02:14:31PM +0300, Topi Miettinen wrote: >> [ 28.443674] audit: type=1327 audit(1468234333.144:520): >> proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032 >> [ 28.465888] audit: type=1330 audit(1468234333.144:520):

Re: [PATCH] capabilities: audit capability use

On 07/11/16 16:05, Topi Miettinen wrote: > On 07/11/16 15:25, Serge E. Hallyn wrote: >> Quoting Topi Miettinen (toiwo...@gmail.com): >>> There are many basic ways to control processes, including capabilities, >>> cgroups and resource limits. However, there are far fewer ways to find >>> out useful

Re: [PATCH] capabilities: audit capability use

On 07/11/16 16:05, Topi Miettinen wrote: > On 07/11/16 15:25, Serge E. Hallyn wrote: >> Quoting Topi Miettinen (toiwo...@gmail.com): >>> There are many basic ways to control processes, including capabilities, >>> cgroups and resource limits. However, there are far fewer ways to find >>> out useful

Re: [PATCH] capabilities: audit capability use

Hello, On Mon, Jul 11, 2016 at 02:14:31PM +0300, Topi Miettinen wrote: > [ 28.443674] audit: type=1327 audit(1468234333.144:520): > proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032 > [ 28.465888] audit: type=1330 audit(1468234333.144:520): > cap_used=0800 > [ 28.482080]

Re: [PATCH] capabilities: audit capability use

Hello, On Mon, Jul 11, 2016 at 02:14:31PM +0300, Topi Miettinen wrote: > [ 28.443674] audit: type=1327 audit(1468234333.144:520): > proctitle=6D6B6E6F64002F6465762F7A5F343639006300310032 > [ 28.465888] audit: type=1330 audit(1468234333.144:520): > cap_used=0800 > [ 28.482080]

Re: [PATCH] capabilities: audit capability use

On 07/11/16 15:25, Serge E. Hallyn wrote: > Quoting Topi Miettinen (toiwo...@gmail.com): >> There are many basic ways to control processes, including capabilities, >> cgroups and resource limits. However, there are far fewer ways to find >> out useful values for the limits, except blind trial and

Re: [PATCH] capabilities: audit capability use

On 07/11/16 15:25, Serge E. Hallyn wrote: > Quoting Topi Miettinen (toiwo...@gmail.com): >> There are many basic ways to control processes, including capabilities, >> cgroups and resource limits. However, there are far fewer ways to find >> out useful values for the limits, except blind trial and

Re: [PATCH] capabilities: audit capability use

Quoting Topi Miettinen (toiwo...@gmail.com): > There are many basic ways to control processes, including capabilities, > cgroups and resource limits. However, there are far fewer ways to find > out useful values for the limits, except blind trial and error. > > Currently, there is no way to know

Re: [PATCH] capabilities: audit capability use

Quoting Topi Miettinen (toiwo...@gmail.com): > There are many basic ways to control processes, including capabilities, > cgroups and resource limits. However, there are far fewer ways to find > out useful values for the limits, except blind trial and error. > > Currently, there is no way to know

[PATCH] capabilities: audit capability use

There are many basic ways to control processes, including capabilities, cgroups and resource limits. However, there are far fewer ways to find out useful values for the limits, except blind trial and error. Currently, there is no way to know which capabilities are actually used. Even the source

[PATCH] capabilities: audit capability use

There are many basic ways to control processes, including capabilities, cgroups and resource limits. However, there are far fewer ways to find out useful values for the limits, except blind trial and error. Currently, there is no way to know which capabilities are actually used. Even the source

Re: [PATCH] capabilities: audit capability use

Hi, [auto build test ERROR on cgroup/for-next] [also build test ERROR on v4.7-rc5] [cannot apply to next-20160701] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url:

Re: [PATCH] capabilities: audit capability use

Hi, [auto build test ERROR on cgroup/for-next] [also build test ERROR on v4.7-rc5] [cannot apply to next-20160701] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: