Received: by 10.223.164.202 with SMTP id h10csp398524wrb;
        Thu, 9 Nov 2017 08:03:09 -0800 (PST)
X-Google-Smtp-Source: ABhQp+TpdjMDtqqG2pkqxAI/kWBkSp4C/x1oEbacIl4n4ULZRvdvxy6FlZnxweaSyyWqgYBali/b
X-Received: by 10.159.208.71 with SMTP id w7mr899023plz.228.1510243389337;
        Thu, 09 Nov 2017 08:03:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510243389; cv=none;
        d=google.com; s=arc-20160816;
        b=PmeymSMmofg5qg/AKTL3q9H/R6gINrRKl7hhv4KutcO+nlXrqzCetymXm2KZS3k/Qf
         lveD54tKbvrqQA47ZvgrLXpuyKcPCtL+X65DjiLT8c6iItaACEFUuqnrUh3ixesRkfOf
         sdRzz5RJbWjv8JL901moXenaBwosA4sk5gTROLHOjoF6v8gA17P99vIHt4XlZr6uFIbz
         n1ZgT48AQK82Z71IyFSgFkGlMNiOsJtkDq3FvH3F6YnBTDLYgiLJ/GO4nLjcZTio6KS3
         p+sNZt9x/zzD5XB/tzd6CrPHOqx6iHk2gXhGzz1eVKi/XQbPMmFEZfDaVE8Tfwulz09j
         rs4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=CIVDK791X1CeoOrkBcC1JQGllXI0aq7xdtXD9/7Qk9M=;
        b=0jXJKj7Noatwsfwt+Hye3ptk8T5dsGzzRyOuWEsf6J1tkZCkBZaPK66MFCRZ87BNgh
         hhD/WHxlVbNPRiDUGXGKSAkXC7/oe8UxISaRurtzLYdJZapk6mJMAx3LvaLXOrNYY2nf
         TEhcsVvaZimfFFAQTdu8pl5wPj+hn1KxIiUHAfv4WXhf57V1xkz4ecU0HMeFn/SQanvl
         I8M8etz2KEImMGmGc1xkRSWDQG6EeVVcjETczzcTZpS4gPThaB71pkcBrIUdh39IPgvK
         +Cfj0Uf08sWLRA/N3jT8k9A70zjgx9ywbPfKZNA8eN/Fm5PZ4PZ1PkechbiJkovm/IEj
         lAiQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=fiyAXVaw;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b2si6631844pgr.511.2017.11.09.08.02.36;
        Thu, 09 Nov 2017 08:03:09 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=fiyAXVaw;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753112AbdKIP7e (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 81 others); Thu, 9 Nov 2017 10:59:34 -0500
Received: from mail-lf0-f54.google.com ([209.85.215.54]:49579 "EHLO
        mail-lf0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753075AbdKIP7d (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Nov 2017 10:59:33 -0500
Received: by mail-lf0-f54.google.com with SMTP id w21so7718702lfc.6
        for <linux-kernel@vger.kernel.org>; Thu, 09 Nov 2017 07:59:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=CIVDK791X1CeoOrkBcC1JQGllXI0aq7xdtXD9/7Qk9M=;
        b=fiyAXVawWi5/9U2eIPyanpuS6xLhLvHjlkMc7PtHCg4iIjnTb+jyBjVAleluN/7vht
         EAl132WewdSsc+x8/PTztb1U6xmrp0uENsFjBmO06kw0br21+WxXc3xyts+tggDjsNKx
         AyVO9pMmNaE0xsQiQhQCmT+nyAPqcmX3Wr/CopWdd1tZWDzgUBFMc4RzED333gGfHoob
         sHQrY7i5vERM13HNhaAp3BoHcArnfiPxKV79EO/fQiJBICMMifYQ3h3dDCcUBSeKhnm7
         le8vtDcC53rfWOencUFOapx6db1CNzIQ9si5AGfoYN/rzdUo+VZX5jdwqGkKPRnKWNhP
         6NzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=CIVDK791X1CeoOrkBcC1JQGllXI0aq7xdtXD9/7Qk9M=;
        b=ThaWoaWQM1KP6Y1UdRcHCg0QkKCyuNLCzTXqT3IXBlZRLS0CYgNvMs2/MgL9/hNVxJ
         FJpr4hkFHoAPaA9DJDX05N93G8jTEqcsAexxxLnInr62cR5vf5JVmJUg6zvy3x/vpdZ1
         AqUtB2m1wSWlJ31HckQZHiFW6+V5obCozfl9v5H3I4myn1kMT1L3EaiLHUMX01J/F+bM
         8lYfG1q2K8v9d4GluNgTUDOq/mDv/MYLmZy/6aZQ/rq6Xo2oIc4nqd0BCoKw6M+w+ykl
         7uYTePKTjBbneye79y4WF+VgUx55ovvz8BudI6pe06FreBwosmswim7QTnKYnfBwJjQS
         Huug==
X-Gm-Message-State: AJaThX62/f5UqmE9MzZorR31dO706quzuszMwGmm9YbPLq44/ESPfw6Q
        ZsHyN6tfduO2g9oSt+P/5+cGtu8QOCcnG8gwmlBt
X-Received: by 10.46.18.153 with SMTP id 25mr410834ljs.179.1510243171280; Thu,
 09 Nov 2017 07:59:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.19.76 with HTTP; Thu, 9 Nov 2017 07:59:30 -0800 (PST)
X-Originating-IP: [108.49.102.27]
In-Reply-To: <2668378.rW6Oo1akt8@x2>
References: <fa0938a05c2d783556d67d4dafef208b156a35ad.1503484357.git.rgb@redhat.com>
 <5662600.QY0GDuKsRv@x2> <CAHC9VhSb5Q8hSwvzvyY6rfZZDyC0NnOghokTf=FqFKXX6RUt9Q@mail.gmail.com>
 <2668378.rW6Oo1akt8@x2>
From:   Paul Moore <paul@paul-moore.com>
Date:   Thu, 9 Nov 2017 10:59:30 -0500
Message-ID: <CAHC9VhQMzR06Tqr8WNDuV9zgnDfH8reaKam+e_sAFCm1ZK3QQQ@mail.gmail.com>
Subject: Re: [PATCH ALT4 V3 1/2] audit: show fstype:pathname for entries with
 anonymous parents
To:     Steve Grubb <sgrubb@redhat.com>
Cc:     Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com,
        linux-kernel@vger.kernel.org, Steven Rostedt <rostedt@goodmis.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Nov 9, 2017 at 10:31 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday, November 9, 2017 10:18:10 AM EST Paul Moore wrote:
>> On Wed, Nov 8, 2017 at 6:29 PM, Steve Grubb <sgrubb@redhat.com> wrote:

...

>> > Late reply...but I just noticed that this changes the format of the "name"
>> > field - which is undesirable. Please put the file system type in a field
>> > all by itself called "fstype". You can just leave it as the hex magic
>> > number prepended with 0x and user space can do the lookup from there,
>> >
>> > It might be simplest to just apply a corrective patch over top of this one
>> > so that you don't have to muck about with git branches and commit
>> > messages.
>>
>> A quick note on the "corrective patch": given we are just days away
>> from the merge window opening, it is *way* to late for something like
>> that, at this point the only options are to leave it as-is or
>> yank/revert and make another pass during the next development phase.
>
> Then yank it. I think that is overreacting but given the options you presented
> its the only one that avoids changing a critical field format.

It's not overreacting Steve, there is simply no way we can test and
adequately soak new changes in the few days we have left.  Event
yanks/reverts carry a risk at this stage, but I consider that the less
risky option for these patches.  Neither is a great option, and that
is why I'm rather annoyed.

>> As for the objection itself: ungh.  There is really no good reason why
>> you couldn't have seen this in the *several* *months* prior to this;
>> Richard wrote a nice patch description which *included* sample audit
>> events, and you were involved in discussions regarding this patchset.
>> To say I'm disappointed would be an understatement.
>
> I am also disappointed to find that we are modifying a searchable field that
> has been defined since 2005. The "name" field is very important. It's used in
> quite a few reports, its used in the text format, it's searchable, and we have
> a dictionary that defines exactly what it is. Fields that are searchable and
> used in common reports cannot be changed without a whole lot of coordination.
> I'm also disappointed to have to point out that new information should go in
> its own field. I thought this was common knowledge. In any event, it was
> caught and problems can be avoided.

There are plenty of things to say about the above comment, but in the
interest of brevity I'm just going to leave it at the assumptions and
inflexibility in your audit userspace continue to amaze me in all the
worst ways.  Regardless, as you say, the problem can likely be avoided
this time.

>> I need to look at the rest of audit/next to see what a mess things
>> would be if I yanked this patch.  I don't expect it to be bad, but
>> taking a look will also give Richard a chance to voice his thoughts;
>> it is his patch after all, it would be nice to see an "OK" from him.
>> Whatever we do, it needs to happen by the of the day today (Thursday,
>> November 9th) as we need time to build and test the revised patches.

FWIW, I just went through audit/next and it looks like yanking patch
1/2 isn't going to be too painful; I'm waiting on the build to finish
now.  Also, as a FYI, Richard's 2/2 filtering patch is going to remain
in audit/next as that appears unrelated to the pathname objection,
applies cleanly, and still offers value.

-- 
paul moore
www.paul-moore.com

From 1583603053526288320@xxx Thu Nov 09 15:32:39 +0000 2017
X-GM-THRID: 1576519731154696149
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread