Received: by 10.192.165.156 with SMTP id m28csp715956imm;
        Tue, 17 Apr 2018 19:03:12 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49cscFzhp+o+1G1VFoYO6GheEZt6Y2Z9nraGZ3qpTE5LITOw0WQykI+IwToCU72O349hxk9
X-Received: by 2002:a17:902:8ec4:: with SMTP id x4-v6mr160821plo.391.1524016992431;
        Tue, 17 Apr 2018 19:03:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524016992; cv=none;
        d=google.com; s=arc-20160816;
        b=w/RpfEQSY/ZQxBUgwE8ohFH+vwiIdV523Eou7CNUm2rxhSYNkYwYUigMMcucqNicM5
         m4Qmymn+G+T2ZDqVgtQmfvkKPHxW13XCO/koSnckzfZ1xucShPCEUT1DBAjcUfHTjoFv
         DoWFFPf8KDuD5O95UokypW/Uo3S1Ozl+/+ShVcsWEGUNKPXJCw69A591cKvJnWSGT/Fy
         +b68G/vheLD5OYe/qo6Myout2Rdfjk0z01BIBouTWb4QHslSBAFRhZl7pOlsy2fl5+ls
         PIK6128Bmq+qc8yGUpHMaTguO8dDAtgsmK/rdk5GxFOvYRdajUWrXbKkfZe7hfZKgmi9
         jkOg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=YnxYgE8VgmZsVG1+MXRA+YHrfijp0AKu1fTbZK6iRXw=;
        b=rL1POL9FqI14IH8aKIJQv++F4N5+H6TVp+hmJCUVoiL4EAeRcd7MALYmveT1+l1VqG
         s9y69EMn5kq7Lv7blunYiy367PfUWvfaB7GMPc2dfKmTA922L0aoEk5iFn29a9TKeC7W
         /42SV3yZ1IeMT0YODujc1VhnTtUZ/gUGx1MSw85H2MzK6qNWz+oyId5aPd7O4FtM2Rib
         gF7EyEWq0oNI7eaN7lOdCIntzB4ILeiAGHVSm3mUISeupTWwxdfSAM97NdT8hBMeqkx2
         shCrFzIGjqQeEcBI3UNnwbm16uhynS1rb2F0VJNZBqMxG8rSG7qRC1EhvP9ZmnEVtSsr
         Bk/w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=r8TCMydH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z2si109240pgu.655.2018.04.17.19.02.57;
        Tue, 17 Apr 2018 19:03:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=r8TCMydH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753251AbeDRCBu (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Tue, 17 Apr 2018 22:01:50 -0400
Received: from mail-lf0-f66.google.com ([209.85.215.66]:42373 "EHLO
        mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752679AbeDRCBt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 22:01:49 -0400
Received: by mail-lf0-f66.google.com with SMTP id x130-v6so234626lff.9
        for <linux-kernel@vger.kernel.org>; Tue, 17 Apr 2018 19:01:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=YnxYgE8VgmZsVG1+MXRA+YHrfijp0AKu1fTbZK6iRXw=;
        b=r8TCMydH3JubQt97s9R+1FhgS+Dkq628W0N9uUibSdO4ctwoS7lUYZfMMPrAo2k+ik
         cjTBoZ8cpMs5qopTxMUWuxdC3t5j1UJ5vNP8MuBJdTsEJAfP5tnZA5cO6H94q3H/aOAw
         F+MmIIopcJ+3mVYcxXxDB2jMubwL/qzRqyUSUL+ohIg+QtaPmoWQQk3zmlN51btDiDe2
         QIZiXNU3ZCpNgaluMT+ttMTq927vebXeU0urifxLjwBsOfKKy4W6tsKEkyz24x8CxrmT
         bHDH9uplihtrsCVgGcGuI4qLZuV5EwDNnt32uuu/RH2BpuNvcCF7s8NtVfG+Bf+DjDx/
         8pdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=YnxYgE8VgmZsVG1+MXRA+YHrfijp0AKu1fTbZK6iRXw=;
        b=XyafYOa3WGTzyvCbxG3Fx3bFE3FuOto/N3n9pBPerwEUW2Go3d3fWw/jBw60Mm73Uq
         vyqnPBhbRCRmGJhZjtr3m1cBkQ9iVhchIdIGhusOvq4w9YSsD+ZBAKYfsxUXgWfR0fSv
         DGrObfkv2GmgxWiOMju+LW/lrhxeVskwMiVm4G+cxkmV0nVTz5ooTYDDHFykpCw0tsh7
         VDy+n03YTbck6JhUVo5hzn5LzyaA1clixnxwKW5nM4Yze0+ClhKKbB12kOtDGYCJrqzz
         uG6uvmZNXzAuef3I8KhJTB9ccdKbvpGWnYFL4VszTv7C0mc0hAbdjJJCHIVAqHsxp9qf
         +dyg==
X-Gm-Message-State: ALQs6tD4NLnbDDNc0UozRLSKSNd8pZp8U1X9qBa4ikPg+Z9cPYvxSxd/
        AOiocQgvHMBE9vuupx3UZy/LxcM6KGFafaaoIMdw
X-Received: by 2002:a19:b587:: with SMTP id g7-v6mr96854lfk.90.1524016907800;
 Tue, 17 Apr 2018 19:01:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:a5c3:0:0:0:0:0 with HTTP; Tue, 17 Apr 2018 19:01:46
 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <2312860.Cha4zeddVm@x2>
References: <08bd08ee9bc70f6e98b9e298ba6a2c0f4dcadb4b.1523372093.git.rgb@redhat.com>
 <CAHC9VhSxjEKNcdE2Mm-Vwef6RvTG2ykGFFmeAtVypAaPRvddmg@mail.gmail.com> <2312860.Cha4zeddVm@x2>
From:   Paul Moore <paul@paul-moore.com>
Date:   Tue, 17 Apr 2018 22:01:46 -0400
Message-ID: <CAHC9VhT82w2RtdD9EKRgTSUz+tp4Ru=HmmQ8BQwrisoMRMHP1A@mail.gmail.com>
Subject: Re: [PATCH ghak80 V1] audit: add syscall information to
 FEATURE_CHANGE records
To:     Steve Grubb <sgrubb@redhat.com>,
        Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Eric Paris <eparis@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 17, 2018 at 6:10 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Tuesday, April 17, 2018 6:06:24 PM EDT Paul Moore wrote:
>> On Wed, Apr 11, 2018 at 8:46 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> > Tie syscall information to FEATURE_CHANGE calls since it is a result of
>> > user action.
>> >
>> > See: https://github.com/linux-audit/audit-kernel/issues/80
>> >
>> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>> > ---
>> >
>> >  kernel/audit.c | 5 ++---
>> >  1 file changed, 2 insertions(+), 3 deletions(-)
>> >
>> > diff --git a/kernel/audit.c b/kernel/audit.c
>> > index 8da24ef..23f125b 100644
>> > --- a/kernel/audit.c
>> > +++ b/kernel/audit.c
>> > @@ -1103,10 +1103,9 @@ static void audit_log_feature_change(int which,
>> > u32 old_feature, u32 new_feature>
>> >  {
>> >
>> >         struct audit_buffer *ab;
>> >
>> > -       if (audit_enabled == AUDIT_OFF)
>> > +       if (!audit_enabled)
>>
>> Sooo, this is an unrelated style change, why?  Looking at the rest of
>> kernel/audit.c we seem to use a mix of "(!x)" and "(x == 0/CONST)" so
>> why are you adding noise to this patch?
>>
>> >                 return;
>> >
>> > -
>> > -       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE);
>> > +       ab = audit_log_start(current->audit_context, GFP_KERNEL,
>> > AUDIT_FEATURE_CHANGE);
>> This is the important part, and the Right Thing To Do.
>
> This is an unexpected change. I have asked questions on the github issue
> tracker but have not gotten a satisfactory answer. Please do not merge this
> until there's agreement on this.

It shouldn't be surprising, we've been talking about connecting
records for some time now, in different contexts and both on and off
list.  Not only does it helps pave the way for the audit container ID
work, it just makes sense.  I've seen your questions in this
particular GitHub issue and I think Richard has answered them
satisfactorily.

Once Richard removes the style change, or provides a good enough
reason for why it should stay in this patch, I plan on merging this
into audit/next.

-- 
paul moore
www.paul-moore.com