Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4094152imu; Mon, 14 Jan 2019 15:00:34 -0800 (PST) X-Google-Smtp-Source: ALg8bN7xhdB+rP0EDblRSV6y3X2JtnDOT7iyRJ2+qGgctYyqiHuPYUAYLdQJdpT4i4Ub2OdGV/6+ X-Received: by 2002:a62:6204:: with SMTP id w4mr831574pfb.5.1547506834804; Mon, 14 Jan 2019 15:00:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547506834; cv=none; d=google.com; s=arc-20160816; b=RBjz2Q3LofKHyccoj6JCQqzjQhk6QzbEcZ4+3XI7D/1HRbGP5guU/2lALpNLDHkuuv fPj0cUpzhzEXdFteIlhwWObCOAJK2n09fBwkPO9Ld0nTKfi7fyHHteuqxsI+XzMf09BH 3bwHV27WRiXg8eQPIQJDN8MzQM5ySEPpoOfzQTIYZ6H7+qCOyROAf94b5YRxgCQXFjhO hjNepEBR/a94bMlxnTwD2y6eVV8kEcN8aoHu/ebQ0UBNgtFsqCiPf2S++DuDgL67RqPj fp3YUsJwBUt9GyXl9IJGX5oCPj82dHJrMc48QdS4Kfj4HCzB1hjSSZxX5Ve0i6Zykg5h IY2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=G5DVVvlBscBC6EIYomzKqD7HcRhB/c47Kegc7+dnBU8=; b=Fk9Juc4ZxzUMrq7vk6ka0s0+GQ46ZmyKKTC39RUzTclGFucK/oUSLiW9wJ8qNrI7bc 0SDTrbIAHTFsvG3UxY0SjQj9kjlZHVsNDhI1TJ9+3M5vrkfAkmejPfLEYOE+y/eYI0TI 1RMcPM9OYG04IukC8AuJXPMGp/PEj4AGC3tT2yk5/2DsUMQdaPvYcy8bQ1z/HXqEEjb5 eX+SSIm4Etk31FBKpBSM2P87+5WckCDyT56ZQJT2DMRHV4LQEuv2I63LioKI2QGk5Prw c9rf4jIjVasNsIFcGi3BCecQ7gDw6R4PeafnJCrvGQJgRD2joHlLGcqFREgVva7l4CaP jt0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=vkZEzOyr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j13si1408197pgi.227.2019.01.14.15.00.18; Mon, 14 Jan 2019 15:00:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=vkZEzOyr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726886AbfANW7M (ORCPT + 99 others); Mon, 14 Jan 2019 17:59:12 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:46424 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726653AbfANW7M (ORCPT ); Mon, 14 Jan 2019 17:59:12 -0500 Received: by mail-lf1-f66.google.com with SMTP id y14so518680lfg.13 for ; Mon, 14 Jan 2019 14:59:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=G5DVVvlBscBC6EIYomzKqD7HcRhB/c47Kegc7+dnBU8=; b=vkZEzOyrN8qgZ2yRg0AdBzIuYJtOjCrFShNySQmgBpmaBOvtge30S823E1Ow7UgxGR ucWxHUWlXb6qp/cn7gZ6U7VAIFnGnFdutA86R0TQRUqW9SHAPQbMC5B81hYLxsOGbCrO FqdRYro6xYiQRSsbCa7dHHInAIlhttYISUtwAv18TrPCp6IPUxscdZhamlFBUDy7iw4C LIie4gXfyX/SYigtSrjjk8ntoqCF3U+v49trffVUR2KFdvwCGs17z3aunpQImVLfWtS5 IrGAj+403/0n1qBOvDbs9szYYYrj9kby/ETMNbXwKOU04GmYRtfpiwrXFLVX834f56eu Q94Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G5DVVvlBscBC6EIYomzKqD7HcRhB/c47Kegc7+dnBU8=; b=ZfXqPs+itcBU4rDGB0tbwUfwk33Uxxd8ePmwYWps+y/S0RUw1Q/5wjbqVa4MGrBHlz NFa5qNFANkVNRGiiaQWwKGKeTLLN1y2lcoQ9S3BxWqBOIMxroxlr8lrPa/aYy8tUmK2M 1S5pBwHvQLExG3VyhSVC00MC6NbH2ZKtW/L8DhPcgLmctdpqLZCmRsK4uvu6WwW5huQk C1WjGdi7am2yUmBX8pANqkLSHj6VMB2/QGpq84VPvvAkB9KrboxoykhPPjpktno/jRdu DP16DQNnmMYUuJlPdQzjlvQhHljlB9QQBDUl6gMENA2dEtWnkojI8eqpJ7h3r46w5jnG Vitg== X-Gm-Message-State: AJcUukdWMHj9d8jpeT9xzRQi//qigCKmPdrAvQN3TsNv9SNzh/jUzeNw gHUxpbX9oPTi/YEgXX7j99Fhiplk5obAfi7m3RXc X-Received: by 2002:a19:f115:: with SMTP id p21mr576681lfh.20.1547506749653; Mon, 14 Jan 2019 14:59:09 -0800 (PST) MIME-Version: 1.0 References: <43548fafdfa98ee64ecfd0d7a69a2f5cb2c31c50.1544477629.git.rgb@redhat.com> In-Reply-To: <43548fafdfa98ee64ecfd0d7a69a2f5cb2c31c50.1544477629.git.rgb@redhat.com> From: Paul Moore Date: Mon, 14 Jan 2019 17:58:58 -0500 Message-ID: Subject: Re: [PATCH ghak59 V3 2/4] audit: add syscall information to CONFIG_CHANGE records To: Richard Guy Briggs Cc: LKML , Linux-Audit Mailing List , Eric Paris , Alexander Viro , Steve Grubb Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs wrote: > > Tie syscall information to all CONFIG_CHANGE calls since they are all a > result of user actions. > > Exclude user records from syscall context: > Since the function audit_log_common_recv_msg() is shared by a number of > AUDIT_CONFIG_CHANGE and the entire range of AUDIT_USER_* record types, > and since the AUDIT_CONFIG_CHANGE message type has been converted to a > syscall accompanied record type, special-case the AUDIT_USER_* range of > messages so they remain standalone records. > > See: https://github.com/linux-audit/audit-kernel/issues/59 > See: https://github.com/linux-audit/audit-kernel/issues/50 > Signed-off-by: Richard Guy Briggs > --- > kernel/audit.c | 27 +++++++++++++++++++-------- > kernel/audit_fsnotify.c | 2 +- > kernel/audit_tree.c | 2 +- > kernel/audit_watch.c | 2 +- > kernel/auditfilter.c | 2 +- > 5 files changed, 23 insertions(+), 12 deletions(-) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 0e8026423fbd..a321fea94cc6 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -1072,6 +1073,16 @@ static void audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type) > audit_log_task_context(*ab); > } > > +static inline void audit_log_user_recv_msg(struct audit_buffer **ab, u16 msg_type) > +{ > + audit_log_common_recv_msg(NULL, ab, msg_type); > +} This makes sense because this is used by "user" records ... > +static inline void audit_log_config_change_alt(struct audit_buffer **ab) > +{ > + audit_log_common_recv_msg(audit_context(), ab, AUDIT_CONFIG_CHANGE); > +} ... and I don't believe this makes sense because there is no real logical grouping with the callers like there is for audit_log_user_recv_msg(). -- paul moore www.paul-moore.com