Received: by 10.223.185.116 with SMTP id b49csp946882wrg;
        Fri, 16 Feb 2018 09:43:02 -0800 (PST)
X-Google-Smtp-Source: AH8x227S/BiwvngUKn9rAik46v1JAPbLXxRjAaSC6yudmgi74/8l8HI1YwboiJ8ww80LuKOQn7hR
X-Received: by 10.99.125.13 with SMTP id y13mr5671284pgc.282.1518802982485;
        Fri, 16 Feb 2018 09:43:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518802982; cv=none;
        d=google.com; s=arc-20160816;
        b=uWc/5KksSsk8zwMfCSavDkp7iXRLXqQ8Hq7hNgP0qwAqujuvz2iDNHu4hV+wrpw06A
         ZnlyGcz+dGbQcIYV/ClnhvU8TKOdanZQpBgM5yCO67tDFQYYAYZk3fCbkqoq40Pl/BoC
         MuB0ySUB4efulGUjaUx6VlcMxu/2HGFVT+n50y1e1KfAoJsPKHkc2SsW4ZFy1Q1tk4CX
         W+v8X2OtpCHddUTXAZPunrZLTFO8flemzBal1sd3IFmowz22dsD5QvYz6X/DzF+M3ecX
         9ho7iMj/3Whv25S3SHKro8Ln0PNsVf6Zf2xMmo3s2bDok1n7VQI4t0UHfnhnmDsYp7Gp
         tmiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=aaz8bgZHNTBQnbPTCWa270FoYkmvjM97Qx9HEmGrjU8=;
        b=rGlZhd5yn+7LHKWKsJnyM/QlaGMs9ckWn2o3H6GrDf+rdXQF/kQ6afuw2ZRnVBvzp0
         yHZtme//tIglYa8Hcoymjvdbovql0xfddicGkJkq0hZna/1u8mLxx+jmgGNyKlODN9tf
         YhkI55VEQ089xBO0N0sHr5Eg8gUoL9u0WO7Ggmzu+Q2VG/izOrYGmE+dAmNEZsFbA4d5
         Mp6vmPQG7x2kmA1CEKDl4SzaD9qdtgSkbp7Pa4+FcLkkfCxtFNIcj75hnJe8PjKIC66w
         WhozXJk+9+6o3MM5B2BxsoVDfb0krmO3kAt2ytrtjqD52M5r4xtO1jFGu539Y+GGYbEv
         o9NA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ywywuAWr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f5-v6si1651004plf.223.2018.02.16.09.42.47;
        Fri, 16 Feb 2018 09:43:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=ywywuAWr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756179AbeBOWPJ (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Thu, 15 Feb 2018 17:15:09 -0500
Received: from mail-lf0-f50.google.com ([209.85.215.50]:36660 "EHLO
        mail-lf0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752862AbeBOWPI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Feb 2018 17:15:08 -0500
Received: by mail-lf0-f50.google.com with SMTP id t79so1646991lfe.3
        for <linux-kernel@vger.kernel.org>; Thu, 15 Feb 2018 14:15:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=aaz8bgZHNTBQnbPTCWa270FoYkmvjM97Qx9HEmGrjU8=;
        b=ywywuAWrp3e1Q6g+KHxvTgq47qkA6ifAgkYanKhbk+8pLyWPPbw0PDfVkac6fiNvtO
         13mu1LNFejua6doMuLEgKw1DOAoFlN6fBfknuvS/ZncsxSn+1csf8KljMVRfHQNP9hb3
         ialVn7R3Rb//bI3v4FL8rU3sgkgalRh96I78PaNeSPwHbmUT12N2AMI6RcjQ8ZofCTVo
         QfCtpxjNv9mGEgj22UG+Gonht7NMSgmYciHqiFvS6ZVZyfr1p72kTdxJQLxQaO6oPP8c
         ddbAKnRy8ZJ95iOQjsSS9gQDXygZsx0f/tGlPk/sFpFyUW9BYvnRptarj26pgaiE+v31
         KH3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=aaz8bgZHNTBQnbPTCWa270FoYkmvjM97Qx9HEmGrjU8=;
        b=Ty8fK1aGR1DB+XdS0YpYgbN6VaNL2DAr9Qiieh+d/Kd+Dz9Sl5UFktEzYIn7G1q/LS
         Q1ZVP0arpEccHkr8uoVHCKPsGil/w2RBDxE1rHDSnIboVZBqWCjMMNQlA0nz8xQSVwTP
         Hma8ay8ChJQUlTLLekCrm3g4NROQdRNrFshSHjS1BnulwOe4hMhVLPygmFrpbypIU/XR
         waPGF2ku2glDgFBCgN6iwprRzefp9VcPineX6WV2tOt8VnUdJNmma6aJlpkNtV15IJmn
         FuoFOMbv9cojVfqdz5PXGBhObULjwOo0IPmn4fprDpooAgm5SIEd9jmWWAsAyVZZ742K
         E9AQ==
X-Gm-Message-State: APf1xPDJFigtFP24BGbjMFzdmafYOZqXHoSKBA6BWdWOF0iYU6VgLqCv
        xY67BiZAgRkrS0heQKR8wOsaztQhvTp0P17d1B7G6RM=
X-Received: by 10.46.93.91 with SMTP id r88mr2761064ljb.82.1518732906277; Thu,
 15 Feb 2018 14:15:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.216.145 with HTTP; Thu, 15 Feb 2018 14:15:05 -0800 (PST)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <cover.1518411444.git.rgb@redhat.com>
References: <cover.1518411444.git.rgb@redhat.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Thu, 15 Feb 2018 17:15:05 -0500
Message-ID: <CAHC9VhRFKTPhQRjL5QhPiQPA7WfV+TsVLgoVptnhLggkfvu0Cg@mail.gmail.com>
Subject: Re: [PATCH ghak8 ALT4 V4 0/3] audit: show more information for
 entries with anonymous parents
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Eric Paris <eparis@redhat.com>, Steve Grubb <sgrubb@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 12, 2018 at 12:02 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> More than one filesystem was causing hundreds to thousands of null PATH
> records to be associated with the *init_module SYSCALL records on a few
> modules with corresponding audit syscall rules.
>
> This patchset adds extra information to those PATH records to provide
> insight into what is generating them, including a partial pathname,
> fstype field, and two new filetypes that indicate the pathname isn't
> anchored at the root of the task's root filesystem.
>
> Richard Guy Briggs (3):
>   audit: show partial pathname for entries with anonymous parents
>   audit: append new fstype field for anonymous PATH records
>   audit: add new filetypes CREATE_ANON and PARENT_ANON

The more I look at this, the more I prefer your original approach that
prefixed the relative pathname with the fstype.  Yes, I do realize
that you sort of work around that by including the fstype as a new
field in the PATH records, but we're still stuck with those odd
relative/un-rooted name fields.

Further, I don't recall ever hearing a good reason why the original
approach wasn't acceptable to Steve's userspace.  I know he did make
some very last minute hand-wavy comments, but none of those made any
sense to me; I don't understand why Steve's audit record parser is
even looking in the pathname string.

I'm going to park these patches in limbo for the time being.

-- 
paul moore
www.paul-moore.com