Received: by 10.223.164.202 with SMTP id h10csp697080wrb; Thu, 9 Nov 2017 12:54:20 -0800 (PST) X-Google-Smtp-Source: ABhQp+SaOgZhoE1HVfwXFAG4bPThHbjgbzOdyZk6fdW4SrIPN+GSZ6ONyhHb2ZIuf5Qd6s5p5DgU X-Received: by 10.99.115.4 with SMTP id o4mr1642630pgc.371.1510260860810; Thu, 09 Nov 2017 12:54:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510260860; cv=none; d=google.com; s=arc-20160816; b=O4B4a2uXc4XaG22DXl3KtFjW8SbHwGp/vNL6MUOi1QPplfMckJcyBq7Q+xdilk41K3 MButq8B6+HWr4nz3myP2lzPv9AdzwMTXLHmFXVUEzzbrFNn+7SHrlZFJf1wUhb+XkD9/ wTnMaXm1doRbHQg9D9a6uXtwYhwPRQ7qoJoMGDT44D+hEF9GWbxFFDrD3m9QrsNQypzn MeYlamAk12DKjpW+3eqTwu5q8e1OE3PRh6QaAVIcBD45AL+IFQ+rQv2ekFCRKXmQc6uv RsG3Ah+x9EgfywTJXynaWBbWdRzNsFq3HQK0K8/4E6PECKDtiLx/fvRB3B549m6rjAgD u4FQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=UCW7IIp7tyy0wmnaip90mCEvsZHqUHT4wusgIEEtg3E=; b=m7D/zYr7iFN0fYsDtVoO6viftATxaySB3ZNXT/iOiFzCAlvkBBg8UGJsFW8+5R+ktz UgUy1QKANyBQwdqdNkCLPMSXGFmogLeYe43Itexyot+ayZVywk55fBzzXFRWbPGP7WpO Ju8j/oN1HACfuwYeQvufqxI65kiAuaQ+ggW+Q0dAFpU+R2nwMJMKrS5aheaCNWMf6Onx lI+aq/977ff75obZZnAU4cp1XmnC3k6ISumR6YTs7o+XyHVZEuSRMeHU2KaOTL/HoReK FPGalC8fSdazYcNJpcTSaKb0QNRFREqZWtG/3HG/V628T2SMZUqtpD1lRVxznVNMpZmi 068Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r8si7159327pli.733.2017.11.09.12.54.09; Thu, 09 Nov 2017 12:54:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753162AbdKIUxd (ORCPT + 83 others); Thu, 9 Nov 2017 15:53:33 -0500 Received: from mx1.redhat.com ([209.132.183.28]:52122 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751133AbdKIUxb (ORCPT ); Thu, 9 Nov 2017 15:53:31 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 40FC025C21; Thu, 9 Nov 2017 20:53:31 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-14.rdu2.redhat.com [10.10.112.14]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2D8B661F4A; Thu, 9 Nov 2017 20:53:23 +0000 (UTC) Date: Thu, 9 Nov 2017 15:52:46 -0500 From: Richard Guy Briggs To: Paul Moore Cc: Steve Grubb , linux-audit@redhat.com, linux-kernel@vger.kernel.org, Steven Rostedt Subject: Re: [PATCH ALT4 V3 1/2] audit: show fstype:pathname for entries with anonymous parents Message-ID: <20171109205246.ohro2gbsnvc7hpij@madcap2.tricolour.ca> References: <5662600.QY0GDuKsRv@x2> <2668378.rW6Oo1akt8@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20171013 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 09 Nov 2017 20:53:31 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2017-11-09 10:59, Paul Moore wrote: > On Thu, Nov 9, 2017 at 10:31 AM, Steve Grubb wrote: > > On Thursday, November 9, 2017 10:18:10 AM EST Paul Moore wrote: > >> On Wed, Nov 8, 2017 at 6:29 PM, Steve Grubb wrote: > > ... > > >> > Late reply...but I just noticed that this changes the format of the "name" > >> > field - which is undesirable. Please put the file system type in a field > >> > all by itself called "fstype". You can just leave it as the hex magic > >> > number prepended with 0x and user space can do the lookup from there, > >> > > >> > It might be simplest to just apply a corrective patch over top of this one > >> > so that you don't have to muck about with git branches and commit > >> > messages. > >> > >> A quick note on the "corrective patch": given we are just days away > >> from the merge window opening, it is *way* to late for something like > >> that, at this point the only options are to leave it as-is or > >> yank/revert and make another pass during the next development phase. > > > > Then yank it. I think that is overreacting but given the options you presented > > its the only one that avoids changing a critical field format. > > It's not overreacting Steve, there is simply no way we can test and > adequately soak new changes in the few days we have left. Event > yanks/reverts carry a risk at this stage, but I consider that the less > risky option for these patches. Neither is a great option, and that > is why I'm rather annoyed. I don't really see that this is my choice to include it or not. This is the upstream maintainer's decision. I can't say I'd be thrilled to have my name on something that stuffs up the system though. It still isn't clear to me why an incomplete path from some seemingly random place in the filesystem tree is preferable to something that gives it an anchor point, at least to human interpreters. Adding an fstype to the record is an interesting idea, but then creates a void for all the rest of the properly formed records that don't need it and will need more work to find it, wasting bandwidth with "fstype=?". How are the analysis tools stymied by a text prefix to a path that it can't find anyways? Since we have a chance to fix it before it goes upstream, I think it should either be yanked and respun, or add a corrective patch and submit them together. > >> As for the objection itself: ungh. There is really no good reason why > >> you couldn't have seen this in the *several* *months* prior to this; > >> Richard wrote a nice patch description which *included* sample audit > >> events, and you were involved in discussions regarding this patchset. > >> To say I'm disappointed would be an understatement. > > > > I am also disappointed to find that we are modifying a searchable field that > > has been defined since 2005. The "name" field is very important. It's used in > > quite a few reports, its used in the text format, it's searchable, and we have > > a dictionary that defines exactly what it is. Fields that are searchable and > > used in common reports cannot be changed without a whole lot of coordination. > > I'm also disappointed to have to point out that new information should go in > > its own field. I thought this was common knowledge. In any event, it was > > caught and problems can be avoided. So why does this make it unsearchable? I still don't understand any explanations that have been made so far. > There are plenty of things to say about the above comment, but in the > interest of brevity I'm just going to leave it at the assumptions and > inflexibility in your audit userspace continue to amaze me in all the > worst ways. Regardless, as you say, the problem can likely be avoided > this time. > > >> I need to look at the rest of audit/next to see what a mess things > >> would be if I yanked this patch. I don't expect it to be bad, but > >> taking a look will also give Richard a chance to voice his thoughts; > >> it is his patch after all, it would be nice to see an "OK" from him. > >> Whatever we do, it needs to happen by the of the day today (Thursday, > >> November 9th) as we need time to build and test the revised patches. > > FWIW, I just went through audit/next and it looks like yanking patch > 1/2 isn't going to be too painful; I'm waiting on the build to finish > now. Also, as a FYI, Richard's 2/2 filtering patch is going to remain > in audit/next as that appears unrelated to the pathname objection, > applies cleanly, and still offers value. The irony here stuns me. 2/2 was supposed to be the more controvertial one. > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 From 1583604972006085773@xxx Thu Nov 09 16:03:09 +0000 2017 X-GM-THRID: 1576519731154696149 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread