From mboxrd@z Thu Jan  1 00:00:00 1970
From: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: [PATCH] audit: Add cmdline to taskinfo output
Date: Thu, 31 Oct 2013 11:46:50 -0400
Message-ID: <20131031154650.GA24407@madcap2.tricolour.ca>
References: <1383004238-10998-1-git-send-email-wroberts@tresys.com>
	<1611933.rd6seSt0S2@x2>
	<CAFftDdoAoj3ySyHzZkS9nk43FK84YsHOZ0diuiz1ceAVsGO0cA@mail.gmail.com>
	<3495583.L92f3yxRXA@x2>
	<CAFftDdqMMmyuA-rzmDf4wEDhKZWMEf+Y3ccF+Y2QmGmTY+iHTQ@mail.gmail.com>
	<20131031152848.GB3399@madcap2.tricolour.ca>
	<CAFftDdoUYwLWxtL4WAGWGg0cg4ymGbA3Oi9MuDVKX+=GP2QnAg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <CAFftDdoUYwLWxtL4WAGWGg0cg4ymGbA3Oi9MuDVKX+=GP2QnAg@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: William Roberts <bill.c.roberts@gmail.com>
Cc: William Roberts <wroberts@tresys.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thu, Oct 31, 2013 at 08:33:34AM -0700, William Roberts wrote:
> On Thu, Oct 31, 2013 at 8:28 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> 
> > On Thu, Oct 31, 2013 at 08:24:11AM -0700, William Roberts wrote:
> > > On Thu, Oct 31, 2013 at 7:36 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > > On Wednesday, October 30, 2013 01:18:13 PM William Roberts wrote:
> > > > > On Wed, Oct 30, 2013 at 12:42 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > > > > I have compiled kernels in the past with custom COMM widths, but
> > > > > the memory footprint goes up, at least here were not keeping a
> > > > > bunch of possibly unused data around in the kernel plus we're not
> > > > > allocating anything on the common case of it being turned off.
> > > >
> > > > I don't like the idea of fields appearing and disappearing. The
> > > > complaint is "comm" is meaningless. Let's fix that.
> > >
> > > Its not that the field is disappearing, its just whether or not you
> > > want the value printed out. cmdline=(null) vs cmdline="something".
> > > That's a trivial change of not making it dynamic which is what my
> > > first patch did but Richard Briggs suggested making it a dynamic
> > > feature and I was pretty ok with that.
> >
> > Ok, so how about both fields are always present, but have some keyword
> > that is printed that indicates it is a duplicate of the other field?
> >
> > Something like cmdline=(comm)
> 
> How are you going to detect that cmdlne has changed, its a region of
> memory in userspace? We would have to cmp the values, and if we cannot
> detect the transition, this gets more expensive. Also, I have yet to
> see a case where the above statement is true, so it would be a very
> infrequent event.

Is it likely that those two point to the same region of memory?  If so,
just compare the pointers.

> However, their is a condition in my patch where an error will cause
> comm=(null) not to be printed, which could be
> viewed as a disappearing field.

Would it be useful if this condition were changed to print instead comm=(error)?

> > > William C Roberts
> >
> > - RGB
> 
> William C Roberts

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545