Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753096AbbHEUI0 (ORCPT <rfc822;w@1wt.eu>);
	Wed, 5 Aug 2015 16:08:26 -0400
Received: from mx1.redhat.com ([209.132.183.28]:40872 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751912AbbHEUIY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 5 Aug 2015 16:08:24 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com,
        linux-kernel@vger.kernel.org, eparis@redhat.com
Subject: Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values
Date: Wed, 05 Aug 2015 16:08:23 -0400
Message-ID: <32702596.GifTzGnU6n@x2>
Organization: Red Hat
User-Agent: KMail/4.14.9 (Linux/4.1.3-200.fc22.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <1963661.TAhBJMcsjy@sifl>
References: <cover.1438446565.git.rgb@redhat.com> <20150805063014.GB32407@madcap2.tricolour.ca> <1963661.TAhBJMcsjy@sifl>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2320
Lines: 47

On Wednesday, August 05, 2015 03:16:58 PM Paul Moore wrote:
> On Wednesday, August 05, 2015 02:30:14 AM Richard Guy Briggs wrote:
> > On 15/08/04, Paul Moore wrote:
> > > On Saturday, August 01, 2015 03:42:23 PM Richard Guy Briggs wrote:
> > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > > ---
> > > > 
> > > >  include/uapi/linux/audit.h |    2 ++
> > > >  kernel/audit.c             |    2 +-
> > > >  kernel/audit_watch.c       |    8 ++++----
> > > >  kernel/auditsc.c           |    6 +++---
> > > >  4 files changed, 10 insertions(+), 8 deletions(-)
> > > 
> > > Yipee, less magic numbers!
> > > 
> > > However, one question for you ... are we ever going to see a device or
> > > inode set to -1 in the userspace facing API?  In other words, should the
> > > new #defines go in the uapi headers or simply in kernel/audit.h?  Unless
> > > it is part of the API, let's leave it out of uapi as we have to be very
> > > careful about that stuff and I'd prefer to keep it minimal.
> > 
> > This is a good point.  I did briefly thing about this at one point.
> > Perhaps Steve can answer this.  It would be trivial to move it back to
> > uapi if needed.  Would you be ok with it in include/linux/audit.h for
> > now?
> 
> I have no problem with it in include/linux/audit.h, that is a kernel-only
> include that we can change at anytime.  My concern is putting it into a uapi
> header which makes it very hard to change.
> 
> I'm thinking we should just go ahead and put it in include/linux/audit.h for
> now as I can't think of a reason why userspace should be passing in an
> invalid dev/inode value, it just doesn't make sense.  If the invalid tokens
> prove to be valuable for userspace, we can always move the #defines.

I can't imagine anyone auditing against a specific device or inode. Its like 
auditing a pid when you really want the program name. Its much more useful to 
audit by filename or directory and not inode/device. So, do whatever you want. 
The only unset value that people actually use is the auid because deamons have 
it unset.

-Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/