RFC(v2): Audit Kernel Container IDs
James.Bottomley at HansenPartnership.com
Tue Oct 17 17:57:43 UTC 2017
On Tue, 2017-10-17 at 13:15 -0400, Steve Grubb wrote:
> On Tuesday, October 17, 2017 12:43:18 PM EDT Casey Schaufler wrote:
> > >
> > > The idea is that processes spawned into a container would be
> > > labelled by the container orchestration system. It's unclear
> > > what should happen to processes using nsenter after the fact, but
> > > policy for that should be up to the orchestration system.
> > I'm fine with that. The user space policy can be anything y'all
> > like.
> I think there should be a login event.
I thought you wanted this for containers? Container creation doesn't
have login events. In an unprivileged orchestration system it may be
hard to synthetically manufacture them.
More information about the Containers