Received: by 10.223.164.202 with SMTP id h10csp365265wrb; Thu, 9 Nov 2017 07:32:39 -0800 (PST) X-Google-Smtp-Source: ABhQp+RTIkF8QiAN84+hXofSqvNDzo/OCcV8tAI+ed7mya7dka5A6bOqFA4R2ZzlJekSbgW68GtH X-Received: by 10.99.39.198 with SMTP id n189mr829548pgn.78.1510241559348; Thu, 09 Nov 2017 07:32:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510241559; cv=none; d=google.com; s=arc-20160816; b=tlDrLoAL5CnsdMeYOhffsBAaQFmFkQn7C9soDBVCWxc/TX+gpW4FoHnaD+r2s6HPaR ljtFoFe8oDSjk60nCWuqi9dUSD5RHVj6kF3Ql+4QCPzYV8criZkO7AwJ708aZ6qMTM0x c9Tz1tXhWif2hwAh2Zjwvr3HAN9HqgxpwRRwfLYDcIK5lSahCwlBGsczc1O3gR6t3BlN Rc96iX+o5VNNVtByv5ai+nRJDuRB1o4rYzqyxhRIxix2qdmR+kKsz2Wmwkq2oNhJ3a7g 20HVlywBUNGOOCA+4XefIUgzgdag1wz1APe7X9Z1nJny7BVRKp0ENREjAXw782JxNl24 Npng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:arc-authentication-results; bh=GqJLRSNZeHinBx2BGnPoznma2vO1nHHXqVf6CslO2g0=; b=o4v67bofQvQiclkTGl/ToOLnsJXAEXOWa7OOfH2Opng3zAzzGU+UXsYv9pN4p3xqUE CtTWXY6g5EQItPYUzCA2CGHnt7GCTEV0cpFbNTOPeVb5/xX/pnUOM0rklQwP8KrtP6Oa 3+T8eCIjUtUkNRqlbBZ6yoXIZziyk7ZXssxGxZus5QbiPHhfBWMPqih4grqgYdz4OczJ VcAbWgQj+oUYpcz3146RXpGmfqxGryIpDDLu5Vpk9UzhnZtHBE61S4rm1bHkYi2naNwx Dp2dK86zhs+t9sI5HOETXca9Rrjjevw0tHzn4lO6ibPDkFJSOawGf93YEBLyA7jCrGHu snpg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g19si7034339pfd.61.2017.11.09.07.32.27; Thu, 09 Nov 2017 07:32:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752814AbdKIPbs (ORCPT + 80 others); Thu, 9 Nov 2017 10:31:48 -0500 Received: from mx1.redhat.com ([209.132.183.28]:45544 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751404AbdKIPbr (ORCPT ); Thu, 9 Nov 2017 10:31:47 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 13D04916AB; Thu, 9 Nov 2017 15:31:47 +0000 (UTC) Received: from x2.localnet (ovpn-121-169.rdu2.redhat.com [10.10.121.169]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0E1515D9CA; Thu, 9 Nov 2017 15:31:42 +0000 (UTC) From: Steve Grubb To: Paul Moore Cc: Richard Guy Briggs , linux-audit@redhat.com, linux-kernel@vger.kernel.org, Steven Rostedt Subject: Re: [PATCH ALT4 V3 1/2] audit: show fstype:pathname for entries with anonymous parents Date: Thu, 09 Nov 2017 10:31:38 -0500 Message-ID: <2668378.rW6Oo1akt8@x2> Organization: Red Hat In-Reply-To: References: <5662600.QY0GDuKsRv@x2> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 09 Nov 2017 15:31:47 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, November 9, 2017 10:18:10 AM EST Paul Moore wrote: > On Wed, Nov 8, 2017 at 6:29 PM, Steve Grubb wrote: > > On Wednesday, September 20, 2017 12:52:32 PM EST Paul Moore wrote: > >> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote: > >> > Tracefs or debugfs were causing hundreds to thousands of null PATH > >> > records to be associated with the init_module and finit_module SYSCALL > >> > records on a few modules when the following rule was in place for > >> > > >> > startup: > >> > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load > >> > > >> > This happens because the parent inode is not found in the task's > >> > audit_names list and hence treats it as anonymous. This gives us no > >> > information other than a numerical device number that may no longer be > >> > visible upon log inspeciton, and an inode number. > >> > > >> > Fill in the filesystem type, filesystem magic number and full pathname > >> > from the filesystem mount point on previously null PATH records from > >> > entries that have an anonymous parent from the child dentry using > >> > dentry_path_raw(). > > > > Late reply...but I just noticed that this changes the format of the "name" > > field - which is undesirable. Please put the file system type in a field > > all by itself called "fstype". You can just leave it as the hex magic > > number prepended with 0x and user space can do the lookup from there, > > > > It might be simplest to just apply a corrective patch over top of this one > > so that you don't have to muck about with git branches and commit > > messages. > > A quick note on the "corrective patch": given we are just days away > from the merge window opening, it is *way* to late for something like > that, at this point the only options are to leave it as-is or > yank/revert and make another pass during the next development phase. Then yank it. I think that is overreacting but given the options you presented its the only one that avoids changing a critical field format. > As for the objection itself: ungh. There is really no good reason why > you couldn't have seen this in the *several* *months* prior to this; > Richard wrote a nice patch description which *included* sample audit > events, and you were involved in discussions regarding this patchset. > To say I'm disappointed would be an understatement. I am also disappointed to find that we are modifying a searchable field that has been defined since 2005. The "name" field is very important. It's used in quite a few reports, its used in the text format, it's searchable, and we have a dictionary that defines exactly what it is. Fields that are searchable and used in common reports cannot be changed without a whole lot of coordination. I'm also disappointed to have to point out that new information should go in its own field. I thought this was common knowledge. In any event, it was caught and problems can be avoided. -Steve > I need to look at the rest of audit/next to see what a mess things > would be if I yanked this patch. I don't expect it to be bad, but > taking a look will also give Richard a chance to voice his thoughts; > it is his patch after all, it would be nice to see an "OK" from him. > Whatever we do, it needs to happen by the of the day today (Thursday, > November 9th) as we need time to build and test the revised patches. From 1583602207909232411@xxx Thu Nov 09 15:19:13 +0000 2017 X-GM-THRID: 1576519731154696149 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread