From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: [RFC] Drop support for old audit rule API
Date: Fri, 27 Feb 2009 10:15:19 -0500
Message-ID: <200902271015.20236.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from vpn-13-179.rdu.redhat.com (vpn-13-179.rdu.redhat.com
	[10.11.13.179])
	by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n1RFFNvf021902
	for <linux-audit@redhat.com>; Fri, 27 Feb 2009 10:15:23 -0500
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hi,

Another thought for the next major release is to drop support for the old 
audit rules API in libaudit. A long time ago, the function prototypes for:

extern int  audit_request_rules_list(int fd);
extern int  audit_add_rule(int fd, struct audit_rule *rule,
                                int flags, int action);
extern int  audit_delete_rule(int fd, struct audit_rule *rule,
                                int flags, int action);
extern int  audit_rule_syscall(struct audit_rule *rule, int scall);
extern int  audit_rule_syscallbyname(struct audit_rule *rule,
                                const char *scall);
extern int  audit_rule_fieldpair(struct audit_rule *rule, const char *pair,
                                int flags);
extern void audit_rule_free(struct audit_rule *rule);

Were moved to a private internal header. This was to encourage any external 
apps from using them, but if they had been previously compiled to know about 
the API, they would still be able to link and run.

As far as I know, auditctl & autrace are the only apps that would be affected. 
There very well may be some 3rd party apps I don't know about that this could 
impact. Hopefully they are on this list or moved their function calls when 
the prototype disappeared.

The proposal is to drop the above mentioned functions and bump the soname 
number so that anything linking against libaudit has to be recompiled to make 
sure they have no old function calls. At some point in the future, we can 
also remove the kernel's support for the old rule format.

Let's discuss....

-Steve