https://lwn.net/Articles/750313/ This is a special feed containing comments posted to the individual LWN article titled "An audit container ID proposal". en-us Sun, 19 Oct 2025 08:10:18 +0000 Sun, 19 Oct 2025 08:10:18 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/750676/ https://lwn.net/Articles/750676/ cyphar <div class="FormattedComment"> <font class="QuotedText">&gt; A new file (containerid) is added to each process's /proc directory; a process's container ID can be set by writing a new value to that file.</font><br> <p> Oh dear lord. I haven't been following the proposals as closely since they were reposted, but this is still getting really strange.<br> <p> I think Casey Schaufler was right in the first review cycle[1]. If we're going to add a process tagging system, we should just add a generic one (like Jose Bollo's PTAGS) and then audit can make use of it. I can think of several things that PTAGS is useful for, while I can only think of one thing that /proc/$pid/containerid would be useful for (and it wouldn't even be useful for *container runtimes* -- only for audit).<br> <p> From the original thread, the argument against (ab)using something like PTAGS for the purpose of audit was:<br> <p> <font class="QuotedText">&gt; We would love to have a generic kernel facility that the audit subsystem could use to identify containers, but we don't, and previous attempts have failed, so we have to create our own. [...] If a more general solution appears in the future I think we would make every effect to migrate to that; keeping this initial effort small should make that easier. </font><br> <p> Effectively being that "there isn't a generic kernel facility, nobody is willing to merge one, but we need something for audit and if there was a generic facility we would use it". Surely someone pushing for an audit-specific process tagging system (called /proc/$pid/containerid even though it's specific to audit) should be enough reason for the relevant maintainers to consider something like PTAGS more seriously?<br> <p> I'm sure that the PTAGS-audit integration would have some quirks (I imagine CAP_AUDIT_CONTROL will be a point of contention) but I'm sure something like "security.*" xattr namespacing would be applicable.<br> <p> [1]: <a href="https://lwn.net/Articles/740765/">https://lwn.net/Articles/740765/</a><br> </div> Sun, 01 Apr 2018 12:41:20 +0000 https://lwn.net/Articles/750598/ https://lwn.net/Articles/750598/ nix <div class="FormattedComment"> Also the process can't have started any children or threads yet.<br> <p> Definitely this requires cooperation, or PTRACE_O_TRACEEXEC to stop it instantly (which seems like horrible overkill, but then, this whole API seems like a horrible hack to me: ptags is obviously better in every way except if you're only looking at auditing and nothing else).<br> </div> Fri, 30 Mar 2018 21:36:06 +0000 https://lwn.net/Articles/750531/ https://lwn.net/Articles/750531/ comio <div class="FormattedComment"> I think that only the launcher (i.e. docker executable?) will have the CAP_AUDIT_CONTROL enabled. The other processes will just inherit the value during the fork/clone syscall.<br> </div> Fri, 30 Mar 2018 12:03:34 +0000 https://lwn.net/Articles/750525/ https://lwn.net/Articles/750525/ josh <div class="FormattedComment"> So, you have to have already started the process, and then set the ID from outside the process. That seems like a painful synchronization problem requiring a cooperative process regardless.<br> </div> Fri, 30 Mar 2018 11:00:10 +0000