From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH ghak80 V1] audit: add syscall information to FEATURE_CHANGE records
Date: Tue, 17 Apr 2018 18:10:30 -0400 [thread overview]
Message-ID: <2312860.Cha4zeddVm@x2> (raw)
In-Reply-To: <CAHC9VhSxjEKNcdE2Mm-Vwef6RvTG2ykGFFmeAtVypAaPRvddmg@mail.gmail.com>
On Tuesday, April 17, 2018 6:06:24 PM EDT Paul Moore wrote:
> On Wed, Apr 11, 2018 at 8:46 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > Tie syscall information to FEATURE_CHANGE calls since it is a result of
> > user action.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/80
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >
> > kernel/audit.c | 5 ++---
> > 1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 8da24ef..23f125b 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1103,10 +1103,9 @@ static void audit_log_feature_change(int which,
> > u32 old_feature, u32 new_feature>
> > {
> >
> > struct audit_buffer *ab;
> >
> > - if (audit_enabled == AUDIT_OFF)
> > + if (!audit_enabled)
>
> Sooo, this is an unrelated style change, why? Looking at the rest of
> kernel/audit.c we seem to use a mix of "(!x)" and "(x == 0/CONST)" so
> why are you adding noise to this patch?
>
> > return;
> >
> > -
> > - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
> > + ab = audit_log_start(current->audit_context, GFP_KERNEL,
> > AUDIT_FEATURE_CHANGE);
> This is the important part, and the Right Thing To Do.
This is an unexpected change. I have asked questions on the github issue
tracker but have not gotten a satisfactory answer. Please do not merge this
until there's agreement on this.
Thanks,
-Steve
> > if (!ab)
> >
> > return;
> >
> > audit_log_task_info(ab, current);
> >
> > --
> > 1.8.3.1
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Linux-Audit Mailing List <linux-audit@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH ghak80 V1] audit: add syscall information to FEATURE_CHANGE records
Date: Tue, 17 Apr 2018 18:10:30 -0400 [thread overview]
Message-ID: <2312860.Cha4zeddVm@x2> (raw)
In-Reply-To: <CAHC9VhSxjEKNcdE2Mm-Vwef6RvTG2ykGFFmeAtVypAaPRvddmg@mail.gmail.com>
On Tuesday, April 17, 2018 6:06:24 PM EDT Paul Moore wrote:
> On Wed, Apr 11, 2018 at 8:46 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > Tie syscall information to FEATURE_CHANGE calls since it is a result of
> > user action.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/80
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >
> > kernel/audit.c | 5 ++---
> > 1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 8da24ef..23f125b 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1103,10 +1103,9 @@ static void audit_log_feature_change(int which,
> > u32 old_feature, u32 new_feature>
> > {
> >
> > struct audit_buffer *ab;
> >
> > - if (audit_enabled == AUDIT_OFF)
> > + if (!audit_enabled)
>
> Sooo, this is an unrelated style change, why? Looking at the rest of
> kernel/audit.c we seem to use a mix of "(!x)" and "(x == 0/CONST)" so
> why are you adding noise to this patch?
>
> > return;
> >
> > -
> > - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
> > + ab = audit_log_start(current->audit_context, GFP_KERNEL,
> > AUDIT_FEATURE_CHANGE);
> This is the important part, and the Right Thing To Do.
This is an unexpected change. I have asked questions on the github issue
tracker but have not gotten a satisfactory answer. Please do not merge this
until there's agreement on this.
Thanks,
-Steve
> > if (!ab)
> >
> > return;
> >
> > audit_log_task_info(ab, current);
> >
> > --
> > 1.8.3.1
next prev parent reply other threads:[~2018-04-17 22:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-11 12:46 [PATCH ghak80 V1] audit: add syscall information to FEATURE_CHANGE records Richard Guy Briggs
2018-04-17 22:06 ` Paul Moore
2018-04-17 22:10 ` Steve Grubb [this message]
2018-04-17 22:10 ` Steve Grubb
2018-04-18 2:01 ` Paul Moore
2018-04-20 13:46 ` Richard Guy Briggs
2018-04-20 15:58 ` Paul Moore
2018-04-20 17:48 ` Richard Guy Briggs
2018-04-20 19:04 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2312860.Cha4zeddVm@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.