From: Steve Grubb <sgrubb@redhat.com>
To: Jiri Kosina <jikos@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>,
Paul Moore <paul@paul-moore.com>,
linux-audit@redhat.com, Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, Oleg Nesterov <oleg@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated
Date: Mon, 19 Mar 2018 13:04:38 -0400 [thread overview]
Message-ID: <1768479.at3cVp0HA2@x2> (raw)
In-Reply-To: <nycvar.YFH.7.76.1803140124210.15778@cbobk.fhfr.pm>
On Tuesday, March 13, 2018 8:28:57 PM EDT Jiri Kosina wrote:
> On Wed, 14 Mar 2018, Andy Lutomirski wrote:
> > > Yes...I wished I was in on the beginning of this discussion. Here's the
> > > problem. We need all tasks auditable unless specifically dismissed as
> > > uninteresting. This would be a task,never rule.
> > >
> > > The way we look at it, is if it boots with audit=1, then we know auditd
> > > is expected to run at some point. So, we need all tasks to stay
> > > auditable. If they weren't and auditd enabled auditing, then we'd need
> > > to walk the whole proctable and stab TIF_AUDIT_SYSCALL into every
> > > process in the system. It was decided that this is too ugly.
> >
> > When was that decided? That's what this patch does.
>
> I'd like to see some more justification as well.
There was some discussion about removing the flag here:
https://www.redhat.com/archives/linux-audit/2007-October/msg00053.html
-Steve
> Namely, if I compare "setting TIF_AUDIT_SYSCALL for every process on a
> need-to-be-so basis" to "we always go through the slow path and
> pessimistically assume that audit is enabled and has reasonable ruleset
> loaded", I have my own (different) opinion of what is too ugly.
next prev parent reply other threads:[~2018-03-19 17:04 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-07 10:32 [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated Jiri Kosina
2018-03-07 16:40 ` Andy Lutomirski
2018-03-07 16:48 ` Jiri Kosina
2018-03-07 23:41 ` Paul Moore
2018-03-07 23:43 ` Paul Moore
2018-03-07 23:43 ` Paul Moore
2018-03-08 9:12 ` Richard Guy Briggs
2018-03-08 14:30 ` Andy Lutomirski
2018-03-08 16:03 ` Richard Guy Briggs
2018-03-10 10:15 ` Steve Grubb
2018-03-14 0:22 ` Andy Lutomirski
2018-03-14 0:28 ` Jiri Kosina
2018-03-14 0:35 ` Andy Lutomirski
2018-03-19 17:15 ` Steve Grubb
2018-03-19 17:15 ` Steve Grubb
2018-03-19 17:04 ` Steve Grubb [this message]
2018-03-08 1:06 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1768479.at3cVp0HA2@x2 \
--to=sgrubb@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=jikos@kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.