Received: by 10.223.185.116 with SMTP id b49csp1044892wrg;
        Fri, 16 Feb 2018 11:23:31 -0800 (PST)
X-Google-Smtp-Source: AH8x2255OvnOCsD3nz/nBAaCHIOi4LLELfijZCWiU8t6ayFdgEKaTNekW8sxIu8AyzcyahHLwSaV
X-Received: by 10.98.58.204 with SMTP id v73mr7184552pfj.0.1518809011477;
        Fri, 16 Feb 2018 11:23:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518809011; cv=none;
        d=google.com; s=arc-20160816;
        b=rD7zPLawhiCH/eF79fkigXYBAa0qN9EfIM7oPLG++jYGphzb72cqDsz7xuwahztf4r
         NHYBef5J5DVYlJMpZrWhURCRhiJzIc4Wk2YEMv9m3qdaGL/dmfSJqNTuzHKXsioI9Smj
         lOrKPsYkbGbg6+DwTpJAgimD0UNkxTVHxfoqxMLye6DZjKI0p3RdFL8X3YceAVuGQW5j
         ONL6gXGpEMTdlnjd52w055/U0oy06+3KE2wadt0lyc4geW2MzAct4adYpFesBkGPKkOc
         u6G44xC+tsEJce4HL77jj4+s3xmZBHEuOdMys8DqSTDqUu/N1c4ZBznDEJT5jP08W+1A
         /uNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=dDohOqnV4rnouoDGzIryeA0bpdT70cdrl2ojFzeIAko=;
        b=oj2hegtU/G30Loq58Q7hNEsuUKUi1yJMCcUDXJAza8uw3gv2KpmwDVWn+OGr0E63GE
         uUfZfZjty6uUi3GDzcgCpAEf1SOiLFY9p2eGwi3tsY7p8+rVd7bWAJeoUpAm2CkqMid7
         wzUZEtIfdV92ujA3C9o72IqSRX1RU8EDg+5nJOc4Le6GerkIkFdFboh8GvcSk9Qb6fo7
         53lV7ZG85vqR9R3an42vJHPzgCO48y+3302SWjtmiItOfv314nPnffbGOfHVPrT3TXMh
         CUi2pTv59Y8CfUvyKMnBWZYVSU1gOGWurqvRJ9VKCYTvxSg3yK6RCZTUZklGgY2k4CJM
         WKtA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=bywGncnq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c17-v6si120057plo.118.2018.02.16.11.23.16;
        Fri, 16 Feb 2018 11:23:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=bywGncnq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751750AbeBPS31 (ORCPT <rfc822;zxj546700287@gmail.com>
        + 99 others); Fri, 16 Feb 2018 13:29:27 -0500
Received: from mail-lf0-f68.google.com ([209.85.215.68]:36839 "EHLO
        mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751385AbeBPS3Y (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 16 Feb 2018 13:29:24 -0500
Received: by mail-lf0-f68.google.com with SMTP id t79so5272063lfe.3
        for <linux-kernel@vger.kernel.org>; Fri, 16 Feb 2018 10:29:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=dDohOqnV4rnouoDGzIryeA0bpdT70cdrl2ojFzeIAko=;
        b=bywGncnqhI9+7kCGpbp+ICPxc77KZhyDmjzPbECS8eok2kgKer1xPiKhfecsQs/z9W
         jwhmYECqEWx7Fmpnkrpw81pNvUdmYZuzUO9qlkcM47S47YYbFa3Lp+sIdHDu16O8HM1R
         BMoeTdthN4JKbFfHZLd0Mp+jd5iXsf/Q6Npzi9LFGAUuuVf0j1lHjlE6lTcNeva8mEEM
         HBoggWAfSbS8uJJ8YZpxLEZ41yzIjJzaP/BZfM0aakKvnc3xWF/HNY3rSxkSeWNXjWDe
         RcoogJ2c32TMKkAlUJGV7hRfKLoDUs/SJdCJR3HewK6px4s0+wfiZJhnXdch5q5u++hi
         6bqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=dDohOqnV4rnouoDGzIryeA0bpdT70cdrl2ojFzeIAko=;
        b=UDu1nGGC0CxLpnKAA9ohTpvW38y7svaSJwBbowzOqhsSqU/G+jh2066yTOMkfnvCjM
         T90Qpf3d0ZvBbH5NYR2+k40VjhNg4kjXV+s3Fy+8wPgqekwJLsTOhs5yEAry4sexAarN
         uVbbbHXqBPCLqaMGAJ9XoNR2JcK+q+wBjyTIjlxzXwFGOlzVvS6xDqa1hI57Mldg4PlR
         9s+qWmKu3AQmUds8cUw+Aww1KSM0rPPGkj7WnUalzw6F+BL6Y1vk3sjblDfamqnWspRs
         somDug8yhhtu/ZAUfBDtYc5jmPRhZF+UTifY0acVJC6IZyT8iy/i+rQCIFfe65XfMadE
         6rvA==
X-Gm-Message-State: APf1xPB8o1f7DBJ+/QX9cGG/6xGsSLCgi0xCsbjybOKjRChafnlC+hjX
        62lNjaUsLTiCuXl6EtuISi+JjpNh0DVxPBOX+6KsqVc=
X-Received: by 10.25.193.23 with SMTP id r23mr4335156lff.45.1518805763015;
 Fri, 16 Feb 2018 10:29:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.216.145 with HTTP; Fri, 16 Feb 2018 10:29:22 -0800 (PST)
X-Originating-IP: [70.88.214.193]
In-Reply-To: <20180216082330.76obts2tvqwteqle@madcap2.tricolour.ca>
References: <cover.1518411444.git.rgb@redhat.com> <CAHC9VhRFKTPhQRjL5QhPiQPA7WfV+TsVLgoVptnhLggkfvu0Cg@mail.gmail.com>
 <20180216082330.76obts2tvqwteqle@madcap2.tricolour.ca>
From:   Paul Moore <paul@paul-moore.com>
Date:   Fri, 16 Feb 2018 13:29:22 -0500
Message-ID: <CAHC9VhTD3hXfgKWTXG2mce7ZDTsOgv=3vcZsaHj3catrrTjE1A@mail.gmail.com>
Subject: Re: [PATCH ghak8 ALT4 V4 0/3] audit: show more information for
 entries with anonymous parents
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Eric Paris <eparis@redhat.com>, Steve Grubb <sgrubb@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Feb 16, 2018 at 3:23 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2018-02-15 17:15, Paul Moore wrote:
>> On Mon, Feb 12, 2018 at 12:02 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> > More than one filesystem was causing hundreds to thousands of null PATH
>> > records to be associated with the *init_module SYSCALL records on a few
>> > modules with corresponding audit syscall rules.
>> >
>> > This patchset adds extra information to those PATH records to provide
>> > insight into what is generating them, including a partial pathname,
>> > fstype field, and two new filetypes that indicate the pathname isn't
>> > anchored at the root of the task's root filesystem.
>> >
>> > Richard Guy Briggs (3):
>> >   audit: show partial pathname for entries with anonymous parents
>> >   audit: append new fstype field for anonymous PATH records
>> >   audit: add new filetypes CREATE_ANON and PARENT_ANON
>>
>> The more I look at this, the more I prefer your original approach that
>> prefixed the relative pathname with the fstype.  Yes, I do realize
>> that you sort of work around that by including the fstype as a new
>> field in the PATH records, but we're still stuck with those odd
>> relative/un-rooted name fields.
>
> They are signalled as being unrooted by the ANON filetypes.  And now
> that you mention it, should fail the ausearch-test since it isn't a "full
> path", as claimed is necessary in ghak70 (so I don't see why the
> KERN_MODULE name= record/field fails that test).

Yes.  I still prefer your original approach.

>> Further, I don't recall ever hearing a good reason why the original
>> approach wasn't acceptable to Steve's userspace.  I know he did make
>> some very last minute hand-wavy comments, but none of those made any
>> sense to me; I don't understand why Steve's audit record parser is
>> even looking in the pathname string.
>>
>> I'm going to park these patches in limbo for the time being.
>
> Can you give me an idea how long that might be?

If you need an answer right now, consider it to be "indefinitely".

-- 
paul moore
www.paul-moore.com