From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: RFC deprecating the possible action Date: Mon, 10 Apr 2006 15:05:57 -0400 Message-ID: <200604101505.57763.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from discovery.boston.redhat.com (discovery.boston.redhat.com [172.16.80.171]) by mail.boston.redhat.com (8.12.8/8.12.8) with ESMTP id k3AJ5oT1016031 for ; Mon, 10 Apr 2006 15:05:50 -0400 Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com Hi, I was looking at the syscall entry code and was thinking that we could eliminate the "possible" action. The code in syscall entry seems to have been hard-wired such that every syscall performs the action as if "possible" was set. (Unless a never rule evaluates true.) Since this is now hard-wired into the code, I'd like to eliminate the action so that people do not submit rules with "possible" as an action. This would help in terms of performance since the system won't be evaluating rules that are hard coded. We currently have 5 syscall rules in the capp.rules file and lspp.rules file that would be eliminated by this change. I could always delete them from the rule file, but other people will make the mistake of setting possible on some rules without studying the kernel code. What's people's thoughts on this? -Steve