[PATCH V6 05/10] audit: log creation and deletion of namespace instances
Paul Moore
pmoore at redhat.com
Fri May 15 20:26:41 UTC 2015
On Thursday, May 14, 2015 08:48:55 PM Richard Guy Briggs wrote:
> On 15/05/14, Steve Grubb wrote:
> > What they would want to know is what resources were assigned; if two
> > containers shared a resource, what resource and container was it shared
> > with; if two containers can communicate, we need to see or control
> > information flow when necessary; and we need to see termination and
> > release of resources.
>
> So, namespaces are a big part of this. I understand how they are
> spawned and potentially shared. I have a more vague idea about how
> cgroups contribute to this concept of a container. So far, I have very
> little idea how seccomp contributes, but I assume that it will also need
> to be part of this tracking.
It doesn't, really. We shouldn't worry about seccomp from a
namespace/container auditing perspective. The normal seccomp auditing should
be sufficient for namespaces/containers.
--
paul moore
security @ redhat
More information about the Containers
mailing list