Received: by 10.223.164.202 with SMTP id h10csp756763wrb; Thu, 9 Nov 2017 13:58:20 -0800 (PST) X-Google-Smtp-Source: ABhQp+T1bRZyJOWwESgf1TkorD+cOFFZCluKBQtAZv1wkWPfyNBq9gWedGgXe7SEgU6+LlDxYv2y X-Received: by 10.98.91.194 with SMTP id p185mr1912909pfb.136.1510264700008; Thu, 09 Nov 2017 13:58:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510264699; cv=none; d=google.com; s=arc-20160816; b=L5sUe9lx/D+L+r+MqiwUBMebZaMRFdVvqBqMazbRzo6VhCr3Nltj+zS/YhfrVDACBM R0Xij7G8MeBcoyqdo6Vd+1zrRMkMc2g4TGYV9ivNWeMeGpGKMy8zaPfFE56otLN28kn9 rqrfe7FbvPr+FgBeJNE+QsAyqXIoP//yDj6BFwrncbt9+gwPA+sShsztqUhRz5NnILTA uYhIr+St3UXsAtp1flBnxxCthVuNdBY/nEBBsQUxDWom7yxJuSVJNOOmuomnVpRWjaQt lhpgNb07/rWywo3JCTfFyCHnBeB/nu43eK4oDYJ0XuNXlTNvGhA44vI9VraE0ZPekFBR 7I0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=510OOJNuC/v0piqz8k+EZSVjudmRJQN5Zickg9sJ7Gs=; b=R0/tmEXlwVxUtSj8MeKvSV0zCA8Dfcnq7NHAgmhL2bJNoVZeLTqpqajNqJOs7ekmQa pjowJxbg3YdnCWvNVrAiR1Pui8tVm+qqbNKxmCR0CnERNSB+NYq0wldkCq2C1h4RLdEr ZQh1inrv6bf83QHPBukxz4wUMVSkSTi6pDc7FUaNTY5DnI5iOra5tOj3zhyCGmNEbVwS 5tICd7tTfI04N+TinGD9bvz5AIkQNf3wILlOmT82L3RrQpDQlS+2ZrjUEG1O4MOfjjrx ea3BOB2VtobXHTfIqkVqDmpSRqkVC+VfHbUMhpA6h8MRgxg9z3qHArrHBucvvO3ipLmI 2qJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w17si1974386pgc.409.2017.11.09.13.58.08; Thu, 09 Nov 2017 13:58:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754256AbdKIV5Y (ORCPT + 83 others); Thu, 9 Nov 2017 16:57:24 -0500 Received: from mx1.redhat.com ([209.132.183.28]:34368 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751709AbdKIV5W (ORCPT ); Thu, 9 Nov 2017 16:57:22 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 58C7AB5C2; Thu, 9 Nov 2017 21:57:22 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-14.rdu2.redhat.com [10.10.112.14]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 867856F132; Thu, 9 Nov 2017 21:57:16 +0000 (UTC) Date: Thu, 9 Nov 2017 16:56:38 -0500 From: Richard Guy Briggs To: Paul Moore Cc: Steve Grubb , linux-audit@redhat.com, linux-kernel@vger.kernel.org, Steven Rostedt Subject: Re: [PATCH ALT4 V3 1/2] audit: show fstype:pathname for entries with anonymous parents Message-ID: <20171109215638.rpawzftmese4wjyg@madcap2.tricolour.ca> References: <5662600.QY0GDuKsRv@x2> <2668378.rW6Oo1akt8@x2> <20171109205246.ohro2gbsnvc7hpij@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20171013 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Thu, 09 Nov 2017 21:57:22 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2017-11-09 16:47, Paul Moore wrote: > On Thu, Nov 9, 2017 at 3:52 PM, Richard Guy Briggs wrote: > > On 2017-11-09 10:59, Paul Moore wrote: > >> On Thu, Nov 9, 2017 at 10:31 AM, Steve Grubb wrote: > >> > On Thursday, November 9, 2017 10:18:10 AM EST Paul Moore wrote: > >> >> On Wed, Nov 8, 2017 at 6:29 PM, Steve Grubb wrote: > >> > >> ... > >> > >> >> > Late reply...but I just noticed that this changes the format of the "name" > >> >> > field - which is undesirable. Please put the file system type in a field > >> >> > all by itself called "fstype". You can just leave it as the hex magic > >> >> > number prepended with 0x and user space can do the lookup from there, > >> >> > > >> >> > It might be simplest to just apply a corrective patch over top of this one > >> >> > so that you don't have to muck about with git branches and commit > >> >> > messages. > >> >> > >> >> A quick note on the "corrective patch": given we are just days away > >> >> from the merge window opening, it is *way* to late for something like > >> >> that, at this point the only options are to leave it as-is or > >> >> yank/revert and make another pass during the next development phase. > >> > > >> > Then yank it. I think that is overreacting but given the options you presented > >> > its the only one that avoids changing a critical field format. > >> > >> It's not overreacting Steve, there is simply no way we can test and > >> adequately soak new changes in the few days we have left. Event > >> yanks/reverts carry a risk at this stage, but I consider that the less > >> risky option for these patches. Neither is a great option, and that > >> is why I'm rather annoyed. > > > > I don't really see that this is my choice to include it or not. This is > > the upstream maintainer's decision. > > You are right, however, while ultimately it isn't your choice I still > wanted to hear your opinion on this as you have put a lot of effort > into this patchset. > > > I can't say I'd be thrilled to have my name on something that stuffs up > > the system though. It still isn't clear to me why an incomplete path > > from some seemingly random place in the filesystem tree is preferable to > > something that gives it an anchor point, at least to human interpreters. > > That confuses me too. My current thinking is that a partial, or > relative, path is not something we want. > > > Adding an fstype to the record is an interesting idea, but then creates > > a void for all the rest of the properly formed records that don't need > > it and will need more work to find it, wasting bandwidth with > > "fstype=?". > > Not to mention we still have the relative path problem in this case. > > > How are the analysis tools stymied by a text prefix to a path that it can't find anyways? > > I've been wondering the same. My gut feeling isn't a positive comment > so I'll refrain from sharing it here. > > > Since we have a chance to fix it before it goes upstream, I think it > > should either be yanked and respun, or add a corrective patch and submit > > them together. > > The odds of agreeing upon a corrective patch and getting it tested and > soaked before the merge window opens is z-e-r-o. As I said earlier, > at the very top of my first response, this isn't an option (I'm hoping > you just missed reading that). Oh, I read that. That's what informed my position. That should help you make your decision. > I've been testing audit/next without patch 1/2 this afternoon and it > is still looking okay; unless I see something arguing against it > within the next hour or two that's what I'm going to send up to Linus. > > >> >> As for the objection itself: ungh. There is really no good reason why > >> >> you couldn't have seen this in the *several* *months* prior to this; > >> >> Richard wrote a nice patch description which *included* sample audit > >> >> events, and you were involved in discussions regarding this patchset. > >> >> To say I'm disappointed would be an understatement. > >> > > >> > I am also disappointed to find that we are modifying a searchable field that > >> > has been defined since 2005. The "name" field is very important. It's used in > >> > quite a few reports, its used in the text format, it's searchable, and we have > >> > a dictionary that defines exactly what it is. Fields that are searchable and > >> > used in common reports cannot be changed without a whole lot of coordination. > >> > I'm also disappointed to have to point out that new information should go in > >> > its own field. I thought this was common knowledge. In any event, it was > >> > caught and problems can be avoided. > > > > So why does this make it unsearchable? I still don't understand any > > explanations that have been made so far. > > Agree. > > >> There are plenty of things to say about the above comment, but in the > >> interest of brevity I'm just going to leave it at the assumptions and > >> inflexibility in your audit userspace continue to amaze me in all the > >> worst ways. Regardless, as you say, the problem can likely be avoided > >> this time. > >> > >> >> I need to look at the rest of audit/next to see what a mess things > >> >> would be if I yanked this patch. I don't expect it to be bad, but > >> >> taking a look will also give Richard a chance to voice his thoughts; > >> >> it is his patch after all, it would be nice to see an "OK" from him. > >> >> Whatever we do, it needs to happen by the of the day today (Thursday, > >> >> November 9th) as we need time to build and test the revised patches. > >> > >> FWIW, I just went through audit/next and it looks like yanking patch > >> 1/2 isn't going to be too painful; I'm waiting on the build to finish > >> now. Also, as a FYI, Richard's 2/2 filtering patch is going to remain > >> in audit/next as that appears unrelated to the pathname objection, > >> applies cleanly, and still offers value. > > > > The irony here stuns me. 2/2 was supposed to be the more controvertial > > one. > > Yes, me too. I never thought patch 1/2 would be the problematic one. > Oh well. Do you have any objection to 2/2 going up to Linus? They are two fairly different solutions to the same problem. It can stand on its own. > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 From 1583626731241109918@xxx Thu Nov 09 21:49:00 +0000 2017 X-GM-THRID: 1576519731154696149 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread