From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Weidner <klaus@atsec.com>
Subject: Re: [PATCH] IPC_SET_PERM cleanup
Date: Tue, 9 May 2006 15:10:14 -0500
Message-ID: <20060509201014.GA31028@w-m-p.com>
References: <445BB351.2040303@hp.com> <20060509181523.GD31457@w-m-p.com>
	<4460DF17.8010304@hp.com> <200605091511.25780.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k49KATlx005693
	for <linux-audit@redhat.com>; Tue, 9 May 2006 16:10:29 -0400
Received: from mail.atsec.com (mail.atsec.com [195.30.252.105])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k49KAS0w016881
	for <linux-audit@redhat.com>; Tue, 9 May 2006 16:10:28 -0400
Content-Disposition: inline
In-Reply-To: <200605091511.25780.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, May 09, 2006 at 03:11:25PM -0400, Steve Grubb wrote:
> Bottom line, for the search API, I want all similar types to have a common 
> field name. They can have a modifier adjacent to them.

If that's the way you want to do it, there needs to be a way to get the
modifier to disambiguate them.

Is adding "new " modifiers the best way to do that? You could also
keep the field names the same and look at the syscall record type to find
out which context they get used in.

> On Tuesday 09 May 2006 14:27, Linda Knippers wrote:
> >Maybe I should use a5, a6, ...,

> Please no. Let's keep it as iuid or ouid.

Naming them "a5" etc. would be terrible. The chown way of doing it wasn't
intended as a role model, the point was just that since the information
was present (even though obfuscated) there was no requirement to add
special case logic to audit that call. A userspace reporting tool could
fix this up if it wanted to. If you need new code to get the information,
you may as well make it less obfuscated.

> I'd personally prefer to drop iuid so we can consolidate field types.
> ouid means "owner's uid".

A consolidated field type "ouid" for the object owner makes sense
(assuming that since the IPC records are changing anyway, we might as
well make this additional change).

This still leaves the independent problem that you have a single syscall
which wants to report both the current ouid and the proposed new ouid
it's trying to set it to.

-Klaus