From: Casey Schaufler <casey@schaufler-ca.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-kernel@vger.kernel.org, libc-alpha@sourceware.org,
dwalsh@redhat.com, dmalcolm@redhat.com, sds@tycho.nsa.gov,
segoon@openwall.com, linux-security-module@vger.kernel.org
Subject: Re: Friendlier EPERM - Request for input
Date: Wed, 09 Jan 2013 13:36:44 -0800 [thread overview]
Message-ID: <50EDE2EC.1080104@schaufler-ca.com> (raw)
In-Reply-To: <1357765998.1342.25.camel@localhost>
On 1/9/2013 1:13 PM, Eric Paris wrote:
> On Wed, 2013-01-09 at 12:53 -0800, Casey Schaufler wrote:
>
>> Let me try again, I think I didn't quite get the idea across.
>>
>> I'm suggesting that the string returned by get_extended_error_info()
>> ought to be the audit record the system call would generate, regardless
>> of whether the audit system would emit it or not.
>> If the audit record doesn't have the information you need we should
>> fix the audit system to provide it. Any bit of the information in
>> the audit record might be relevant, and your admin or developer might
>> need to see it.
>>
>> I'm suggesting using the audit record because there are tools to
>> examine them and it's a pity to use a different format instead of
>> fixing the one that's already there.
> I get the point. My problem with using audit records is that they have
> to be stored on disk, forever. We have to store a record on disk for
> EVERY denial because of rwx bits, acls, capabilities, LSM, etc. We
> don't do that today and I'm scared of disk growth explosion. Then we
> could have a kernel interface, say get_last_audit_record(), which could
> query the audit system for that record number.
>
> A thought on disk size explosion might be something like generating
> these records in the kernel and just store them in the task struct until
> some later point in time.
Yes! This is exactly what I'm suggesting.
> If userspace calls get_last_audit_record() we
> might be able to dump the record to auditd.
No! Have reading /proc/self/whatwentwrong return the audit record
associated with the errno last set by the kernel.
> If another record comes
> along we have to free the last one and replace it. Lot more of a perf
> hit than setting a couple of ints and taking the hit at the time when
> userspace actually wants to collect/use this information.
>
> But are we just building up a rube goldburg machine? I don't see a
> problem storing the last audit record if it exists, but I don't like
> making audit part of the normal workflow. I'd do it if others like that
> though....
>
>
next prev parent reply other threads:[~2013-01-09 21:36 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-09 16:04 Friendlier EPERM - Request for input Eric Paris
2013-01-09 19:43 ` Eric Paris
2013-01-09 20:14 ` Casey Schaufler
2013-01-09 20:32 ` Eric Paris
2013-01-09 20:53 ` Casey Schaufler
2013-01-09 20:59 ` Jakub Jelinek
2013-01-09 21:09 ` Eric Paris
2013-01-09 22:17 ` Carlos O'Donell
2013-01-21 0:00 ` Eric W. Biederman
2013-01-21 0:59 ` Eric W. Biederman
2013-01-21 1:09 ` Mike Frysinger
2013-01-09 21:12 ` Casey Schaufler
2013-01-09 21:13 ` Eric Paris
2013-01-09 21:36 ` Casey Schaufler [this message]
2013-01-10 15:14 ` Tetsuo Handa
2013-01-10 16:34 ` Eric Paris
2013-01-11 13:00 ` Mimi Zohar
2013-01-12 5:08 ` Tetsuo Handa
2013-01-27 14:16 ` Rich Kulawiec
2013-01-12 7:23 ` Rob Landley
2013-01-12 20:27 ` Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50EDE2EC.1080104@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dmalcolm@redhat.com \
--cc=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=segoon@openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.