Received: by 10.223.164.202 with SMTP id h10csp749271wrb; Thu, 9 Nov 2017 13:49:00 -0800 (PST) X-Google-Smtp-Source: ABhQp+Tewzd4MPyrZtRQdSmjR4rR971k1OVQ3CYV6FGk9LQdrvEFscudq2KZcnuGKT8/pCW7cZFN X-Received: by 10.101.65.6 with SMTP id w6mr1809694pgp.365.1510264140731; Thu, 09 Nov 2017 13:49:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510264140; cv=none; d=google.com; s=arc-20160816; b=iwyJbJgCeEvyAyAI+UjWKVCJNpOLHb4H3GQjTuMCZJS+mkvDlmO9NRNTF0VxmzJZzN 3NE5Ke+4y9uspx0kUDk/jABdbD5m3Yjx0jtvovTCemgXJtuFTK21uBTbFawsfbrb3Rqg uV5uyigABRPtZxrXK3y3SEHv63MXREPfL/Lrf5IHbjNaihET8R8BmpDeENzzf+sMXrJD 4Y5IOLsFeo/eiTnc5J4dvFJ5/almRnlgVaKpgl3Vy6920BUbvgo25SvNsYruK4F8aVaq bFzuq/9M2CVhQmaqgwchdyOCCd0uxMlw2OIOX0HNO/Gjp/eoZ5SERW0c9eWiMF0zTqeO eOGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=SNr0qPyZp+EY0U+zQBgF/QwpMVaIxmxetudwwd9WlaI=; b=GF+UYf1D2GHimDNDr9HQp2j34KkLBwPg22J5PbHcvdBFJWVPMn7kRIToeb+dRidJ8K WLfMlxQd3YxP2W3xrMRSiwigqB4Uebf2R3FJjnjWBF3dhVCf+aUuidmA04fMZWnrjSWq sUcnxHxh3FBmXf6tQwR14hnwU2WQQf3X6CdoNHGzpGG3SuzDUT7EmWbtFZM/CV6S+VZb NvRG+vQDm4nuBfD5PvG1jIZOAASLVOlUg6yeMyMgkdw5ArqMfSxjdD3aPtSZu/38D/m/ 2cgB4OCikfukTBHNcu9V5hEc2uBQOnvfhQoIW7J3mdF1D7xu7W62ERr/4TVJzJPpKlvX 9P8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=AK4ydiEG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f5si7115360pgn.105.2017.11.09.13.48.49; Thu, 09 Nov 2017 13:49:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=AK4ydiEG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754833AbdKIVr7 (ORCPT + 83 others); Thu, 9 Nov 2017 16:47:59 -0500 Received: from mail-lf0-f52.google.com ([209.85.215.52]:46493 "EHLO mail-lf0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752952AbdKIVr5 (ORCPT ); Thu, 9 Nov 2017 16:47:57 -0500 Received: by mail-lf0-f52.google.com with SMTP id e102so4594079lfi.3 for ; Thu, 09 Nov 2017 13:47:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SNr0qPyZp+EY0U+zQBgF/QwpMVaIxmxetudwwd9WlaI=; b=AK4ydiEG8IpkghGgZQCLCsgcfx+PP6Jb3CJFLxKczHh5r2Q11p4iqLLrUlAzo8HsB1 cn1lKriNva408kF1acMlypt1C5/sMMYSEdbwnKt7OL4YkIWtPHfyIE0Kffc8LIObE0JI oCftFm9/nJuZPB8DQluvosVhcZfwYHOoeN8ycY809gK/BHxBQXZefVx6ETVvAi1dFvt8 gbX5R+pyGmIDa7vWhY+076eZRBrAL9Qn2QhCT/D3hxbzR4JzNmg3/nqJFHcCLALS/lks QKIw1Hj3uSuNVTYDnTsc7IbpMJa/kcgRKTfxohtbq4ZHiK/cokD8kwKq8Zl95wWKMMtR JtOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SNr0qPyZp+EY0U+zQBgF/QwpMVaIxmxetudwwd9WlaI=; b=hIMl+hJHpChdVhGYt609UOOCOjri0ZSlPQTnxT62Kt9AZdRDM6nlpPtp1efbRdzCEW pZpve93le5U46b7YFd4/VFnQPucctl8/kAQNd6EdX0UaOWyY8znbu5KzDMqUttBhLOYt 4qKKAFxfKn3UQNMQmlSdUkTJ+6VaRv0luODzJs+giz3kkhcbMR2d2ECAalaYYakJWDAh W2qQ5klDtH+GBrax+FhGpaBdN71UtmdAL9ukrt5BYU7H75vVPyhAJ/1BlwrbJoItfzV9 JWtZKKUcA9KPxb2+JY1+xGDH3LjA9oW/UzRy6tHX3KcKq4mgDD9XrcaHREJ88li0b04r 1JYg== X-Gm-Message-State: AJaThX6JxR9pPp3meUBiQ2QNBgF786+6McaPn1QVTTaBc4d7DqkTyZta H9YwPjyP/OpU7o/XzacKBbDA8AFs1r8ffxlZ/vTT X-Received: by 10.46.84.84 with SMTP id y20mr879792ljd.89.1510264075798; Thu, 09 Nov 2017 13:47:55 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.158.148 with HTTP; Thu, 9 Nov 2017 13:47:54 -0800 (PST) X-Originating-IP: [108.49.102.27] In-Reply-To: <20171109205246.ohro2gbsnvc7hpij@madcap2.tricolour.ca> References: <5662600.QY0GDuKsRv@x2> <2668378.rW6Oo1akt8@x2> <20171109205246.ohro2gbsnvc7hpij@madcap2.tricolour.ca> From: Paul Moore Date: Thu, 9 Nov 2017 16:47:54 -0500 Message-ID: Subject: Re: [PATCH ALT4 V3 1/2] audit: show fstype:pathname for entries with anonymous parents To: Richard Guy Briggs , Steve Grubb Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, Steven Rostedt Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 9, 2017 at 3:52 PM, Richard Guy Briggs wrote: > On 2017-11-09 10:59, Paul Moore wrote: >> On Thu, Nov 9, 2017 at 10:31 AM, Steve Grubb wrote: >> > On Thursday, November 9, 2017 10:18:10 AM EST Paul Moore wrote: >> >> On Wed, Nov 8, 2017 at 6:29 PM, Steve Grubb wrote: >> >> ... >> >> >> > Late reply...but I just noticed that this changes the format of the "name" >> >> > field - which is undesirable. Please put the file system type in a field >> >> > all by itself called "fstype". You can just leave it as the hex magic >> >> > number prepended with 0x and user space can do the lookup from there, >> >> > >> >> > It might be simplest to just apply a corrective patch over top of this one >> >> > so that you don't have to muck about with git branches and commit >> >> > messages. >> >> >> >> A quick note on the "corrective patch": given we are just days away >> >> from the merge window opening, it is *way* to late for something like >> >> that, at this point the only options are to leave it as-is or >> >> yank/revert and make another pass during the next development phase. >> > >> > Then yank it. I think that is overreacting but given the options you presented >> > its the only one that avoids changing a critical field format. >> >> It's not overreacting Steve, there is simply no way we can test and >> adequately soak new changes in the few days we have left. Event >> yanks/reverts carry a risk at this stage, but I consider that the less >> risky option for these patches. Neither is a great option, and that >> is why I'm rather annoyed. > > I don't really see that this is my choice to include it or not. This is > the upstream maintainer's decision. You are right, however, while ultimately it isn't your choice I still wanted to hear your opinion on this as you have put a lot of effort into this patchset. > I can't say I'd be thrilled to have my name on something that stuffs up > the system though. It still isn't clear to me why an incomplete path > from some seemingly random place in the filesystem tree is preferable to > something that gives it an anchor point, at least to human interpreters. That confuses me too. My current thinking is that a partial, or relative, path is not something we want. > Adding an fstype to the record is an interesting idea, but then creates > a void for all the rest of the properly formed records that don't need > it and will need more work to find it, wasting bandwidth with > "fstype=?". Not to mention we still have the relative path problem in this case. > How are the analysis tools stymied by a text prefix to a path that it can't find anyways? I've been wondering the same. My gut feeling isn't a positive comment so I'll refrain from sharing it here. > Since we have a chance to fix it before it goes upstream, I think it > should either be yanked and respun, or add a corrective patch and submit > them together. The odds of agreeing upon a corrective patch and getting it tested and soaked before the merge window opens is z-e-r-o. As I said earlier, at the very top of my first response, this isn't an option (I'm hoping you just missed reading that). I've been testing audit/next without patch 1/2 this afternoon and it is still looking okay; unless I see something arguing against it within the next hour or two that's what I'm going to send up to Linus. >> >> As for the objection itself: ungh. There is really no good reason why >> >> you couldn't have seen this in the *several* *months* prior to this; >> >> Richard wrote a nice patch description which *included* sample audit >> >> events, and you were involved in discussions regarding this patchset. >> >> To say I'm disappointed would be an understatement. >> > >> > I am also disappointed to find that we are modifying a searchable field that >> > has been defined since 2005. The "name" field is very important. It's used in >> > quite a few reports, its used in the text format, it's searchable, and we have >> > a dictionary that defines exactly what it is. Fields that are searchable and >> > used in common reports cannot be changed without a whole lot of coordination. >> > I'm also disappointed to have to point out that new information should go in >> > its own field. I thought this was common knowledge. In any event, it was >> > caught and problems can be avoided. > > So why does this make it unsearchable? I still don't understand any > explanations that have been made so far. Agree. >> There are plenty of things to say about the above comment, but in the >> interest of brevity I'm just going to leave it at the assumptions and >> inflexibility in your audit userspace continue to amaze me in all the >> worst ways. Regardless, as you say, the problem can likely be avoided >> this time. >> >> >> I need to look at the rest of audit/next to see what a mess things >> >> would be if I yanked this patch. I don't expect it to be bad, but >> >> taking a look will also give Richard a chance to voice his thoughts; >> >> it is his patch after all, it would be nice to see an "OK" from him. >> >> Whatever we do, it needs to happen by the of the day today (Thursday, >> >> November 9th) as we need time to build and test the revised patches. >> >> FWIW, I just went through audit/next and it looks like yanking patch >> 1/2 isn't going to be too painful; I'm waiting on the build to finish >> now. Also, as a FYI, Richard's 2/2 filtering patch is going to remain >> in audit/next as that appears unrelated to the pathname objection, >> applies cleanly, and still offers value. > > The irony here stuns me. 2/2 was supposed to be the more controvertial > one. Yes, me too. I never thought patch 1/2 would be the problematic one. Oh well. Do you have any objection to 2/2 going up to Linus? -- paul moore www.paul-moore.com From 1583623292221880410@xxx Thu Nov 09 20:54:20 +0000 2017 X-GM-THRID: 1576519731154696149 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread