Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S964826AbcDEWSK (ORCPT <rfc822;w@1wt.eu>);
	Tue, 5 Apr 2016 18:18:10 -0400
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:37170 "EHLO
	out5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S933837AbcDEWSH (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 5 Apr 2016 18:18:07 -0400
X-Sasl-enc: LT2q6H5wTMKy2tddnuIbD/yEL4u7W4dLvbnxSdWSaEEr 1459894685
Date: Tue, 5 Apr 2016 18:18:05 -0400
From: Greg KH <greg@kroah.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, Oliver Neukum <oneukum@suse.com>,
        Wade Mealing <wmealing@redhat.com>,
        linux-usb <linux-usb@vger.kernel.org>, linux-kernel@vger.kernel.org,
        bjorn@mork.no
Subject: Re: [RFC] Create an audit record of USB specific details
Message-ID: <20160405221805.GB11038@kroah.com>
References: <1459742562-22803-1-git-send-email-wmail@redhat.com>
 <CALJHwhR5FQaa6v=ZPyLRZ8L+OrucXqEiwe6QE43HybM2keErYg@mail.gmail.com>
 <1459875768.2892.1.camel@suse.com>
 <2074584.b2h7oKljRp@x2>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2074584.b2h7oKljRp@x2>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1667
Lines: 39

On Tue, Apr 05, 2016 at 03:38:34PM -0400, Steve Grubb wrote:
> On Tuesday, April 05, 2016 07:02:48 PM Oliver Neukum wrote:
> > On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote:
> > > Consider the following scenario.  Currently we have device drivers
> > > that emit text via a printk request which is eventually picked up by
> > > syslog like implementation (not the audit subsystem).
> > 
> > We also have UEVENTs. The crucial question is why udevd feeding
> > back events to the audit subsystem is inferior to the kernel
> > itself generating audit events.
> 
> If this was going to be done in user space, then we are talking about auditd 
> growing the ability to monitor another netlink socket for events. The question 
> that decides if this is feasible is whether or not UEVENTS are protected from 
> loss if several occur in a short time before auditd can get around to reading 
> them.

udevd should queue up your events that you subscribe to just fine.  Test
it out if you want to, it should be pretty easy.

> The other issue that I'm curious about is if adding hardware can fail.

Sure it can, plug in a "broken" USB device and watch it not enumerate
properly :)

> Do the events coming out by UEVENTS have any sense of pass or fail? Or
> are they all implicitly successful?

They only happen when a device is successfully added to the kernel.

> And then we get to the issue of whether or not UEVENTS can be filtered. If so, 
> then we will also need to add auditing around the configuration of the filters 
> to see if anything is impacting the audit trail.

You can filter in userspace, that's what udevd provides for you today.

thanks,

greg k-h