From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] audit: fix broken class-based syscall audit Date: Thu, 17 May 2007 11:45:19 -0400 Message-ID: <200705171145.19880.sgrubb@redhat.com> References: <20070516224542.GD11536@w-m-p.com> <200705170958.25421.sgrubb@redhat.com> <20070517152333.GE11536@w-m-p.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20070517152333.GE11536@w-m-p.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Klaus Weidner Cc: Linus Torvalds , linux-audit@redhat.com, Valdis.Kletnieks@vt.edu, Al Viro List-Id: linux-audit@redhat.com On Thursday 17 May 2007 11:23, Klaus Weidner wrote: > > So, way back over at syscall entry would be the time to notice this > > problem instead of here. If we are concerned about this, it might be a > > general control feature like enable/disable, fail mode, or backlog. We > > could make something to report out of range syscalls. > > Can we agree to do just the simple fix for this issue for now, and maybe > revisit adding additional sanity checks later if people think they are > helpful? Certainly. The patch as submitted is fine and Al ack'ed it. I was thinking we should have one more cleanup as a separate patch at some point that catches this at syscall entry and allows ignore/printk/panic selection just like the fail option for the audit system does. In the case of ignore (which would be default), your patch is needed. -Steve