Subject: Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device
 values
To: Steve Grubb <sgrubb@redhat.com>, Paul Moore <pmoore@redhat.com>
References: <cover.1438446565.git.rgb@redhat.com>
 <20150805063014.GB32407@madcap2.tricolour.ca> <1963661.TAhBJMcsjy@sifl>
 <32702596.GifTzGnU6n@x2>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com,
        linux-kernel@vger.kernel.org
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <55C3D24D.7040602@schaufler-ca.com>
Date: Thu, 6 Aug 2015 14:31:57 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <32702596.GifTzGnU6n@x2>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2866
Lines: 59

On 8/5/2015 1:08 PM, Steve Grubb wrote:
> On Wednesday, August 05, 2015 03:16:58 PM Paul Moore wrote:
>> On Wednesday, August 05, 2015 02:30:14 AM Richard Guy Briggs wrote:
>>> On 15/08/04, Paul Moore wrote:
>>>> On Saturday, August 01, 2015 03:42:23 PM Richard Guy Briggs wrote:
>>>>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>>>>> ---
>>>>>
>>>>>  include/uapi/linux/audit.h |    2 ++
>>>>>  kernel/audit.c             |    2 +-
>>>>>  kernel/audit_watch.c       |    8 ++++----
>>>>>  kernel/auditsc.c           |    6 +++---
>>>>>  4 files changed, 10 insertions(+), 8 deletions(-)
>>>> Yipee, less magic numbers!
>>>>
>>>> However, one question for you ... are we ever going to see a device or
>>>> inode set to -1 in the userspace facing API?  In other words, should the
>>>> new #defines go in the uapi headers or simply in kernel/audit.h?  Unless
>>>> it is part of the API, let's leave it out of uapi as we have to be very
>>>> careful about that stuff and I'd prefer to keep it minimal.
>>> This is a good point.  I did briefly thing about this at one point.
>>> Perhaps Steve can answer this.  It would be trivial to move it back to
>>> uapi if needed.  Would you be ok with it in include/linux/audit.h for
>>> now?
>> I have no problem with it in include/linux/audit.h, that is a kernel-only
>> include that we can change at anytime.  My concern is putting it into a uapi
>> header which makes it very hard to change.
>>
>> I'm thinking we should just go ahead and put it in include/linux/audit.h for
>> now as I can't think of a reason why userspace should be passing in an
>> invalid dev/inode value, it just doesn't make sense.  If the invalid tokens
>> prove to be valuable for userspace, we can always move the #defines.
> I can't imagine anyone auditing against a specific device or inode. Its like 
> auditing a pid when you really want the program name. Its much more useful to 
> audit by filename or directory and not inode/device. So, do whatever you want. 
> The only unset value that people actually use is the auid because deamons have 
> it unset.

I remember the Orange Book days when we were *required* to audit by dev/inode
because it was the only true way to identify the object. Yes, it's analogous to
auditing the pid, but we had to audit by that, too. The dev/indode and pid are
the "true" names. Anything else is a hint at what you're looking at. I can easily
imaging someone who really cares about the audit data supplying the dev/inode and
pid. 

>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/