From: Casey Schaufler <casey@schaufler-ca.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-kernel@vger.kernel.org, libc-alpha@sourceware.org,
dwalsh@redhat.com, dmalcolm@redhat.com, sds@tycho.nsa.gov,
segoon@openwall.com, linux-security-module@vger.kernel.org
Subject: Re: Friendlier EPERM - Request for input
Date: Wed, 09 Jan 2013 13:36:44 -0800 [thread overview]
Message-ID: <50EDE2EC.1080104@schaufler-ca.com> (raw)
In-Reply-To: <1357765998.1342.25.camel@localhost>
On 1/9/2013 1:13 PM, Eric Paris wrote:
> On Wed, 2013-01-09 at 12:53 -0800, Casey Schaufler wrote:
>
>> Let me try again, I think I didn't quite get the idea across.
>>
>> I'm suggesting that the string returned by get_extended_error_info()
>> ought to be the audit record the system call would generate, regardless
>> of whether the audit system would emit it or not.
>> If the audit record doesn't have the information you need we should
>> fix the audit system to provide it. Any bit of the information in
>> the audit record might be relevant, and your admin or developer might
>> need to see it.
>>
>> I'm suggesting using the audit record because there are tools to
>> examine them and it's a pity to use a different format instead of
>> fixing the one that's already there.
> I get the point. My problem with using audit records is that they have
> to be stored on disk, forever. We have to store a record on disk for
> EVERY denial because of rwx bits, acls, capabilities, LSM, etc. We
> don't do that today and I'm scared of disk growth explosion. Then we
> could have a kernel interface, say get_last_audit_record(), which could
> query the audit system for that record number.
>
> A thought on disk size explosion might be something like generating
> these records in the kernel and just store them in the task struct until
> some later point in time.
Yes! This is exactly what I'm suggesting.
> If userspace calls get_last_audit_record() we
> might be able to dump the record to auditd.
No! Have reading /proc/self/whatwentwrong return the audit record
associated with the errno last set by the kernel.
> If another record comes
> along we have to free the last one and replace it. Lot more of a perf
> hit than setting a couple of ints and taking the hit at the time when
> userspace actually wants to collect/use this information.
>
> But are we just building up a rube goldburg machine? I don't see a
> problem storing the last audit record if it exists, but I don't like
> making audit part of the normal workflow. I'd do it if others like that
> though....
>
>
next prev parent reply other threads:[~2013-01-09 21:36 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-09 16:04 Friendlier EPERM - Request for input Eric Paris
2013-01-09 19:43 ` Eric Paris
2013-01-09 20:14 ` Casey Schaufler
2013-01-09 20:32 ` Eric Paris
2013-01-09 20:53 ` Casey Schaufler
2013-01-09 20:59 ` Jakub Jelinek
2013-01-09 21:09 ` Eric Paris
2013-01-09 22:17 ` Carlos O'Donell
2013-01-21 0:00 ` Eric W. Biederman
2013-01-21 0:59 ` Eric W. Biederman
2013-01-21 1:09 ` Mike Frysinger
2013-01-09 21:12 ` Casey Schaufler
2013-01-09 21:13 ` Eric Paris
2013-01-09 21:36 ` Casey Schaufler [this message]
2013-01-10 15:14 ` Tetsuo Handa
2013-01-10 16:34 ` Eric Paris
2013-01-11 13:00 ` Mimi Zohar
2013-01-12 5:08 ` Tetsuo Handa
2013-01-27 14:16 ` Rich Kulawiec
2013-01-12 7:23 ` Rob Landley
2013-01-12 20:27 ` Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50EDE2EC.1080104@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dmalcolm@redhat.com \
--cc=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=segoon@openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox