Received: by 10.223.164.202 with SMTP id h10csp350524wrb; Thu, 9 Nov 2017 07:19:12 -0800 (PST) X-Google-Smtp-Source: ABhQp+SXwvQq2v17hbkIVPBYVWYkoip+GJcK5Cgoqw7tJeXxJPeBs8u24CPVrjN4T8MuB6eOJ734 X-Received: by 10.99.186.1 with SMTP id k1mr772449pgf.296.1510240752824; Thu, 09 Nov 2017 07:19:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510240752; cv=none; d=google.com; s=arc-20160816; b=JBz82Tw8RkjcorkVZiyYfhEPc4pIP2so2FJmAlWRTiD6sbimqMUGnHjU/Svd90Rjam BtUw/y3+QqwhJPoyeVl9JidP+1178bqz669arQBnT4bgcGGDtZjOy/eV9GOT/tbpXTkW fjtnhCyr/jJi9EnOqqq/2vfWReD0aFBO5fwDJKb7paq9+pgvCVS/kvWiibD4181sCVWD PTmAHl4v5HpY1LNjFEM5WCxHCXNpVDic29Z+AvF3aWzVaE2i5572cnZASjOdzaba3QmW 3YqTdW9v5llV0yJ1HC+jakhgYQWFzyAA8hLyNALy03eVgUTagYPNVCMOwdMy7X+/RQIg Qliw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=6WOXEpYhwt1IV06j6trfiO8E+1h6oxdkYXObevIGLhk=; b=bdNANIpM+4Wj2OIAVC1gi0lGmrxr9rgVNwIQMfA6sihwyE30PbL4IjTqTUHHD6oDpY mCHld+rnFff6gs+U/DUaXADUWJNlRzxlH4SyoHJkS65L383R9CFhW1xab5mHYQi00esM id+iIqJmxP4kj8mFj/UKmvRIJJYG8zgH2Hf2NBMTbxeaWoCcEsqR9v7jLqZCnQC5N20s ZC/oFgElr6rETJYod1WWnpj80zYcbJgeMS+K9fBythZWB4itxtet1p9FNzJG8HVN8a8j u66pa+t5WDgjlp2aEGdIHFuxp4p5La+5L9ztOar/W4E1VRSW8x9YpJdmVYp1kFD6kDm7 pWNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=AxxOs+ZO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h1si6297625pgc.417.2017.11.09.07.19.01; Thu, 09 Nov 2017 07:19:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=AxxOs+ZO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752653AbdKIPSR (ORCPT + 80 others); Thu, 9 Nov 2017 10:18:17 -0500 Received: from mail-lf0-f66.google.com ([209.85.215.66]:56989 "EHLO mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752540AbdKIPSN (ORCPT ); Thu, 9 Nov 2017 10:18:13 -0500 Received: by mail-lf0-f66.google.com with SMTP id 90so7599455lfs.13 for ; Thu, 09 Nov 2017 07:18:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6WOXEpYhwt1IV06j6trfiO8E+1h6oxdkYXObevIGLhk=; b=AxxOs+ZO9oYFSUPQB+CEX7RmnKT8TRf7bCr9Ys/gHj2d2x0R4ZG3XBDqaE016XFL4o ENqg9skvpAcCgFy44S3GvoD1bnif3g9kPPwZK67wT5HWMcXK8WN9Uy3u0TjWG0iZSsak GPOtho8mjkdUX1MnvBZP60M50Luk8lOcozDXjGvv7lv6jZ+U1dgD0JNSIyS3Cmk8b6Qh Cg3hfUS5uwNhPoMZdK8gM/COSDT4oIJdTBenoEMSFxquqXPfsYdjlkOQRcN5AwW7YKNF R4Z0/cabasDpWLkUSDPA4+V0X7/UVEYgK64PG2BT9C0Zf5rn+zoBZCXvTy2VE9pfttLO dQqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6WOXEpYhwt1IV06j6trfiO8E+1h6oxdkYXObevIGLhk=; b=SxDf6loWEtekzOgZPF6fGFXIicmvt2pRPntBWAMG5UA7h58TfEo8VaGnK/KgszvPv0 cyxnqrEXkrt+BBqZJY7RvHwn6YDqmwNLvaC5YQz2BmYVG9z32N6kYIq2M0DVTWIlS1aU jeO+2wOcWGiuVjs8ezOFXR04zFGBww/OrHvI+liHhdB72+VvfY5elzM0WFeF/xEZvomA 6UstgPiBqU3XpibL9Em6SsQnHXq+UERwJLMHzBXj6Z1+laznP5MLBxFEIvZsD+qQF9Kd C4qQLYObgJDDnj/avgh1XoJjoU6bS5TaloUHjdJjAoZGGuo6Yz8dIj39/CXugXmLVlwp y2xw== X-Gm-Message-State: AJaThX5aFLOTeRdsKkQU2bEqpdf5xLoXL0zUc7vwQCExQAtEXLrDjp3d 5JKmE14hbijEpW/isTHmRA0jD7iJIESX7tvCHzol X-Received: by 10.25.201.202 with SMTP id z193mr380572lff.142.1510240691391; Thu, 09 Nov 2017 07:18:11 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.19.76 with HTTP; Thu, 9 Nov 2017 07:18:10 -0800 (PST) X-Originating-IP: [108.49.102.27] In-Reply-To: <5662600.QY0GDuKsRv@x2> References: <5662600.QY0GDuKsRv@x2> From: Paul Moore Date: Thu, 9 Nov 2017 10:18:10 -0500 Message-ID: Subject: Re: [PATCH ALT4 V3 1/2] audit: show fstype:pathname for entries with anonymous parents To: Steve Grubb , Richard Guy Briggs Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, Steven Rostedt Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 8, 2017 at 6:29 PM, Steve Grubb wrote: > On Wednesday, September 20, 2017 12:52:32 PM EST Paul Moore wrote: >> On Wed, Aug 23, 2017 at 7:03 AM, Richard Guy Briggs wrote: >> > Tracefs or debugfs were causing hundreds to thousands of null PATH >> > records to be associated with the init_module and finit_module SYSCALL >> > records on a few modules when the following rule was in place for >> > >> > startup: >> > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load >> > >> > This happens because the parent inode is not found in the task's >> > audit_names list and hence treats it as anonymous. This gives us no >> > information other than a numerical device number that may no longer be >> > visible upon log inspeciton, and an inode number. >> > >> > Fill in the filesystem type, filesystem magic number and full pathname >> > from the filesystem mount point on previously null PATH records from >> > entries that have an anonymous parent from the child dentry using >> > dentry_path_raw(). > > Late reply...but I just noticed that this changes the format of the "name" > field - which is undesirable. Please put the file system type in a field all > by itself called "fstype". You can just leave it as the hex magic number > prepended with 0x and user space can do the lookup from there, > > It might be simplest to just apply a corrective patch over top of this one so > that you don't have to muck about with git branches and commit messages. A quick note on the "corrective patch": given we are just days away from the merge window opening, it is *way* to late for something like that, at this point the only options are to leave it as-is or yank/revert and make another pass during the next development phase. As for the objection itself: ungh. There is really no good reason why you couldn't have seen this in the *several* *months* prior to this; Richard wrote a nice patch description which *included* sample audit events, and you were involved in discussions regarding this patchset. To say I'm disappointed would be an understatement. I need to look at the rest of audit/next to see what a mess things would be if I yanked this patch. I don't expect it to be bad, but taking a look will also give Richard a chance to voice his thoughts; it is his patch after all, it would be nice to see an "OK" from him. Whatever we do, it needs to happen by the of the day today (Thursday, November 9th) as we need time to build and test the revised patches. -- paul moore www.paul-moore.com From 1583542585621691741@xxx Wed Nov 08 23:31:32 +0000 2017 X-GM-THRID: 1576519731154696149 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread