| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <32702596.GifTzGnU6n@x2> Date: Wed, 05 Aug 2015 16:08:23 -0400 From: Steve Grubb <sgrubb@...hat.com> To: Paul Moore <pmoore@...hat.com> Cc: Richard Guy Briggs <rgb@...hat.com>, linux-audit@...hat.com, linux-kernel@...r.kernel.org, eparis@...hat.com Subject: Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values On Wednesday, August 05, 2015 03:16:58 PM Paul Moore wrote: > On Wednesday, August 05, 2015 02:30:14 AM Richard Guy Briggs wrote: > > On 15/08/04, Paul Moore wrote: > > > On Saturday, August 01, 2015 03:42:23 PM Richard Guy Briggs wrote: > > > > Signed-off-by: Richard Guy Briggs <rgb@...hat.com> > > > > --- > > > > > > > > include/uapi/linux/audit.h | 2 ++ > > > > kernel/audit.c | 2 +- > > > > kernel/audit_watch.c | 8 ++++---- > > > > kernel/auditsc.c | 6 +++--- > > > > 4 files changed, 10 insertions(+), 8 deletions(-) > > > > > > Yipee, less magic numbers! > > > > > > However, one question for you ... are we ever going to see a device or > > > inode set to -1 in the userspace facing API? In other words, should the > > > new #defines go in the uapi headers or simply in kernel/audit.h? Unless > > > it is part of the API, let's leave it out of uapi as we have to be very > > > careful about that stuff and I'd prefer to keep it minimal. > > > > This is a good point. I did briefly thing about this at one point. > > Perhaps Steve can answer this. It would be trivial to move it back to > > uapi if needed. Would you be ok with it in include/linux/audit.h for > > now? > > I have no problem with it in include/linux/audit.h, that is a kernel-only > include that we can change at anytime. My concern is putting it into a uapi > header which makes it very hard to change. > > I'm thinking we should just go ahead and put it in include/linux/audit.h for > now as I can't think of a reason why userspace should be passing in an > invalid dev/inode value, it just doesn't make sense. If the invalid tokens > prove to be valuable for userspace, we can always move the #defines. I can't imagine anyone auditing against a specific device or inode. Its like auditing a pid when you really want the program name. Its much more useful to audit by filename or directory and not inode/device. So, do whatever you want. The only unset value that people actually use is the auid because deamons have it unset. -Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists