From mboxrd@z Thu Jan  1 00:00:00 1970
From: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: [PATCH][RFC] audit: log namespace inode numbers
Date: Tue, 7 Jan 2014 12:43:59 -0500
Message-ID: <20140107174359.GB13431@madcap2.tricolour.ca>
References: <958ab728049c1adb674eeda3cbb2fc3e0774ab98.1387596015.git.rgb@redhat.com>
	<12215179.NadLEXGm6c@tauon>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <12215179.NadLEXGm6c@tauon>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Stephan Mueller <stephan.mueller@atsec.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 14/01/07, Stephan Mueller wrote:
> Am Freitag, 20. Dezember 2013, 22:32:29 schrieb Richard Guy Briggs:
> 
> Hi Richard,
> 
> >Log the namespace details of a task.
> >---
> >
> >Does anyone have comments on this patch?
> >
> >I'm looking for guidance on which types of messages should have
> >namespace information included.  I've included too many, I suspect.
> >
> >I also wonder if displaying these inode numbers in hexadecimal makes
> >more sense than decimal, since they are all based around 0xF0000000. 
> >These are all with reference to the proc filesystem, so a device
> >number should not be necessary to qualify them.
> 
> I have a general question: why do you sprinkle so many callbacks to
> audit_log_namespace_info throughout the code? As namespaces apply only
> to the acting entities, i.e. the processes, wouldn't it be sufficient
> to only add it to audit_log_task_context? So, everywhere where the
> context is needed in the audit trail, we log something about the
> credentials of the process.

Yes, your suggestion is much cleaner.  This was some of the lingering
doubt I had about where to add it.  While reviewing, I found a duplicate
when called from audit_log_pid_context().  I also found a couple of
functions that don't have sufficient logging coverage
(audit_log_feature_change and audit_log_set_loginuid).

Thanks for the helpful review!

> Stephan

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545