RFC deprecating the possible action

RFC deprecating the possible action

[Steve Grubb]

Hi,

I was looking at the syscall entry code and was thinking that we could 
eliminate the "possible" action. The code in syscall entry seems to have been 
hard-wired such that every syscall performs the action as if "possible" was 
set. (Unless a never rule evaluates true.)

Since this is now hard-wired into the code, I'd like to eliminate the action 
so that people do not submit rules with "possible" as an action. This would 
help in terms of performance since the system won't be evaluating rules that 
are hard coded.

We currently have 5 syscall rules in the capp.rules file and lspp.rules file 
that would be eliminated by this change. I could always delete them from the 
rule file, but other people will make the mistake of setting possible on some 
rules without studying the kernel code.

What's people's thoughts on this?

-Steve

Re: RFC deprecating the possible action

[Linda Knippers]

Steve Grubb wrote:
> We currently have 5 syscall rules in the capp.rules file and lspp.rules file 
> that would be eliminated by this change. I could always delete them from the 
> rule file, but other people will make the mistake of setting possible on some 
> rules without studying the kernel code.
> 
> What's people's thoughts on this?

I think if 'possible' no longer is needed, let's remove it.  The only
reason I can think of for keeping it is if people want to have the
same rules file for RHEL4 as for RHEL5, in which case it could be
silently ignored or turned into a regular watch on a RHEL5 system.

- ljk