From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org,
eparis@redhat.com
Subject: Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values
Date: Wed, 05 Aug 2015 16:08:23 -0400 [thread overview]
Message-ID: <32702596.GifTzGnU6n@x2> (raw)
In-Reply-To: <1963661.TAhBJMcsjy@sifl>
On Wednesday, August 05, 2015 03:16:58 PM Paul Moore wrote:
> On Wednesday, August 05, 2015 02:30:14 AM Richard Guy Briggs wrote:
> > On 15/08/04, Paul Moore wrote:
> > > On Saturday, August 01, 2015 03:42:23 PM Richard Guy Briggs wrote:
> > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > > ---
> > > >
> > > > include/uapi/linux/audit.h | 2 ++
> > > > kernel/audit.c | 2 +-
> > > > kernel/audit_watch.c | 8 ++++----
> > > > kernel/auditsc.c | 6 +++---
> > > > 4 files changed, 10 insertions(+), 8 deletions(-)
> > >
> > > Yipee, less magic numbers!
> > >
> > > However, one question for you ... are we ever going to see a device or
> > > inode set to -1 in the userspace facing API? In other words, should the
> > > new #defines go in the uapi headers or simply in kernel/audit.h? Unless
> > > it is part of the API, let's leave it out of uapi as we have to be very
> > > careful about that stuff and I'd prefer to keep it minimal.
> >
> > This is a good point. I did briefly thing about this at one point.
> > Perhaps Steve can answer this. It would be trivial to move it back to
> > uapi if needed. Would you be ok with it in include/linux/audit.h for
> > now?
>
> I have no problem with it in include/linux/audit.h, that is a kernel-only
> include that we can change at anytime. My concern is putting it into a uapi
> header which makes it very hard to change.
>
> I'm thinking we should just go ahead and put it in include/linux/audit.h for
> now as I can't think of a reason why userspace should be passing in an
> invalid dev/inode value, it just doesn't make sense. If the invalid tokens
> prove to be valuable for userspace, we can always move the #defines.
I can't imagine anyone auditing against a specific device or inode. Its like
auditing a pid when you really want the program name. Its much more useful to
audit by filename or directory and not inode/device. So, do whatever you want.
The only unset value that people actually use is the auid because deamons have
it unset.
-Steve
next prev parent reply other threads:[~2015-08-05 20:08 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-01 19:42 [PATCH V4 (was V6)] audit: macros to replace unset inode and device values Richard Guy Briggs
2015-08-01 19:42 ` [PATCH V4 (was V6)] audit: use macros for " Richard Guy Briggs
2015-08-04 22:34 ` Paul Moore
2015-08-05 6:30 ` Richard Guy Briggs
2015-08-05 19:16 ` Paul Moore
2015-08-05 20:08 ` Steve Grubb [this message]
2015-08-06 21:31 ` Casey Schaufler
2015-08-07 14:22 ` Paul Moore
2015-08-05 19:22 ` William Roberts
2015-08-05 19:38 ` Richard Guy Briggs
2015-08-05 20:23 ` Paul Moore
2015-08-04 22:37 ` [PATCH V4 (was V6)] audit: macros to replace " Paul Moore
2015-08-05 6:32 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=32702596.GifTzGnU6n@x2 \
--to=sgrubb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).