Re: [PATCH V5 0/5] audit by executable name

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday, October 29, 2014 03:48:40 PM Richard Guy Briggs wrote:
> On 14/10/21, Paul Moore wrote:
> > > > Can anyone think of anything else that might be affected by this?
> > > 
> > > No one uses this stuff, just change it.
> > 
> > Yes, but I feel like I need to at least ask the question; how much
> > attention I pay to the answers is something else ...
> 
> I'm still skeptical this won't blow up...  Like the capabilities bitmap
> did.  I suspect there isn't agreement on what constitutes a feature.

Anything major that user space would have to know about to determine if its 
supported. If you don't know, just ask if we need to add a bit to the bitmap. 
Some examples, adding the object comparison engine, adding the loginuid-
immutable feature, if we added filtering on TTY that would also qualify (not 
asking for that). Otherwise, user space get EINVAL on the netlink operation 
which is not useful in explaining why the command was rejected.


> We just added a set/get features bitmap a year ago for things to be turned
> on/off and locked...  How does this features bitmap fit in with that
> features config?

I think of that as commanding the features, not determining if they exist.

> I don't disagree that a bitmap would be more useful for various
> distributions to pick and choose that which they choose to support over
> a version number that won't tell the whole story.

I also can be used to allow deprecation in a controlled way such that helpful 
messages are given to the system admin.

-Steve