Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756345AbbHFVbs (ORCPT ); Thu, 6 Aug 2015 17:31:48 -0400 Received: from smtp107.biz.mail.bf1.yahoo.com ([98.139.244.55]:24197 "EHLO smtp107.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752986AbbHFVbr (ORCPT ); Thu, 6 Aug 2015 17:31:47 -0400 X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: bgFgo90VM1liroEe5.xgyT6PyTkZPNEXFQVnfskP8JeEL1. .N5pKJd3_hPZygmlveQZNUwwo4v1Xxmv0XkwDQWdYKrKjKzujvGJkuatPBhy JFUUjhVbtc0NaWijok6vxJY5lrMBWCZm7QhOONxfg2hUOmrU7AFSJjMs9fGp caEWmB6XTsZWHIM0nxxS88vx5rCxEJIqVdIh4u359iOy54HpEaqlrJAXH9_E 2EPL44CvQFUo9Ku6oX.g9lw3b1dV2b8mH4rO7lwrDFxDpe9JOFCY6KdoJUp8 FSj4a3S4Rjo4O.7jvdCMl9UBpPwU3gyDlhsDu9pFoTLQye_SEo_UrBCA_Ocf d8eD2vRL17Ky62B6j8GfNoAcOd166TuP6LyTK04pM0P4SJNo3H4oTn5u_jO3 byJtC69w_W6ZOY0ms7LrIqTRWcFAzcjaUfUPl0hfltBk8MzDVaSU.OUaRlgQ 4n3qjjgNDny4gv1m1h.auAY9f_4mpPp5QRcWkzt0WfNgA3A8VTjeGMk32lld tjbWEsyQobOWDzZIDiehW9rHZtcGqG64r21g- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values To: Steve Grubb , Paul Moore References: <20150805063014.GB32407@madcap2.tricolour.ca> <1963661.TAhBJMcsjy@sifl> <32702596.GifTzGnU6n@x2> Cc: Richard Guy Briggs , linux-audit@redhat.com, linux-kernel@vger.kernel.org From: Casey Schaufler Message-ID: <55C3D24D.7040602@schaufler-ca.com> Date: Thu, 6 Aug 2015 14:31:57 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <32702596.GifTzGnU6n@x2> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2866 Lines: 59 On 8/5/2015 1:08 PM, Steve Grubb wrote: > On Wednesday, August 05, 2015 03:16:58 PM Paul Moore wrote: >> On Wednesday, August 05, 2015 02:30:14 AM Richard Guy Briggs wrote: >>> On 15/08/04, Paul Moore wrote: >>>> On Saturday, August 01, 2015 03:42:23 PM Richard Guy Briggs wrote: >>>>> Signed-off-by: Richard Guy Briggs >>>>> --- >>>>> >>>>> include/uapi/linux/audit.h | 2 ++ >>>>> kernel/audit.c | 2 +- >>>>> kernel/audit_watch.c | 8 ++++---- >>>>> kernel/auditsc.c | 6 +++--- >>>>> 4 files changed, 10 insertions(+), 8 deletions(-) >>>> Yipee, less magic numbers! >>>> >>>> However, one question for you ... are we ever going to see a device or >>>> inode set to -1 in the userspace facing API? In other words, should the >>>> new #defines go in the uapi headers or simply in kernel/audit.h? Unless >>>> it is part of the API, let's leave it out of uapi as we have to be very >>>> careful about that stuff and I'd prefer to keep it minimal. >>> This is a good point. I did briefly thing about this at one point. >>> Perhaps Steve can answer this. It would be trivial to move it back to >>> uapi if needed. Would you be ok with it in include/linux/audit.h for >>> now? >> I have no problem with it in include/linux/audit.h, that is a kernel-only >> include that we can change at anytime. My concern is putting it into a uapi >> header which makes it very hard to change. >> >> I'm thinking we should just go ahead and put it in include/linux/audit.h for >> now as I can't think of a reason why userspace should be passing in an >> invalid dev/inode value, it just doesn't make sense. If the invalid tokens >> prove to be valuable for userspace, we can always move the #defines. > I can't imagine anyone auditing against a specific device or inode. Its like > auditing a pid when you really want the program name. Its much more useful to > audit by filename or directory and not inode/device. So, do whatever you want. > The only unset value that people actually use is the auid because deamons have > it unset. I remember the Orange Book days when we were *required* to audit by dev/inode because it was the only true way to identify the object. Yes, it's analogous to auditing the pid, but we had to audit by that, too. The dev/indode and pid are the "true" names. Anything else is a hint at what you're looking at. I can easily imaging someone who really cares about the audit data supplying the dev/inode and pid. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/