Re: [PATCH] IPC_SET_PERM cleanup

From: Linda Knippers <linda.knippers@hp.com>
To: Klaus Weidner <klaus@atsec.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] IPC_SET_PERM cleanup
Date: Tue, 09 May 2006 16:46:30 -0400	[thread overview]
Message-ID: <4460FFA6.4070506@hp.com> (raw)
In-Reply-To: <20060509203608.GF31457@w-m-p.com>

Klaus Weidner wrote:
> On Tue, May 09, 2006 at 03:10:14PM -0500, Klaus Weidner wrote:
> 
>>On Tue, May 09, 2006 at 03:11:25PM -0400, Steve Grubb wrote:
>>
>>>Bottom line, for the search API, I want all similar types to have a common 
>>>field name. They can have a modifier adjacent to them.
>>
>>If that's the way you want to do it, there needs to be a way to get the
>>modifier to disambiguate them.
>>
>>Is adding "new " modifiers the best way to do that? You could also
>>keep the field names the same and look at the syscall record type to find
>>out which context they get used in.
> 
> 
> A bit more detail... 
> 
> Here are the current audit records:
> 
> type=SYSCALL msg=audit(1146691872.791:94): arch=c000003e syscall=66 success=yes exit=0 a0=10000 a1=1 a2=1 a3=7fff328a7e70 items=0 pid=4327 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="syscalls" exe="/usr/local/eal3_testing/audit-test/syscalls/syscalls" subj=user_u:system_r:unconfined_t:s0-s0:c0.c255
> 
> type=IPC_SET_PERM msg=audit(1146691872.791:94):  new qbytes=0 new iuid=501 new igid=0 new mode=0 obj=user_u:system_r:unconfined_t:s0-s0:c0.c255
> 
> type=IPC msg=audit(1146691872.791:94):  qbytes=5a5a5a5a5a5a5a5a iuid=0 igid=0 mode=1c0 obj=user_u:system_r:unconfined_t:s0-s0:c0.c255
> 
> 
> The original patches by Dustin and Linda had used "new_iuid=501" to
> differentiate the values, which I personally think was fine since it's
> unlikely that people want to be searching for those.

And if they do, they're easy to find with an ausearch | grep.

I think Dustin and I were both trying to be consistent with the 99% of
the audit records emitted by the kernel that use single word keywords.
I also think Loulwa had a good suggestion when we suggested modifying
some of the user space audit records to also use single word keywords.

I can understand not wanting to create a bunch of new, random keywords
and I think for the kernel, we do that be reviewing new audit records
to make sure that they only contain the necessary information and re-use
existing keywords where it makes sense.  That's why I removed obj from
the IPC_SET_PERMS record and qbytes from the IPC record.  I guess for
qbytes that means that I can use qbytes instead of new_qbytes since
the IPC_SET_PERMS record is the only place where it shows up.
That's a change I'm happy to make. :-)

> If you absolutely want to avoid adding new tag names, an alternative
> would be to get rid of the "new " modifiers, and use the "type=" name to
> differentiate them. The audit parsing library could then provide an
> auparse_get_field_type() function so that the clients that care can treat
> "IPC_SET_PERM" differently from type "IPC".
> 
> Something like:
> 
> 	while (ausearch_next_event(au)) {
> 		if (auparse_find_field(au, "ouid")
> 		    && !strcmp(auparse_get_field_type(au), "IPC"))
> 		{
> 			printf("ouid=%s\n", auparse_interpret_field(au));
> 		}
> 	}
> 
> I still think that the new_* field names are fine and don't need fixing,
> but the "new" modifiers just look wrong.

I agree.  I would also like something that's easy to parse for people
not using the search API.  Our test suite doesn't use the search API
and probably never will until there's a binary record format.

-- ljk

> 
> -Klaus
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit