[PATCH 1/7] audit: implement generic feature setting and retrieving
Steve Grubb
sgrubb at redhat.com
Tue Jul 9 18:30:09 UTC 2013
On Monday, July 08, 2013 05:55:07 PM Eric Paris wrote:
> On Mon, 2013-07-08 at 16:28 -0400, Steve Grubb wrote:
> > On Friday, May 24, 2013 12:11:44 PM Eric Paris wrote:
> > > The audit_status structure was not designed with extensibility in mind.
> > > Define a new AUDIT_SET_FEATURE message type which takes a new structure
> > > of bits where things can be enabled/disabled/locked one at a time.
> >
> > This changes how we have been doing things. The way that the audit system
> > settings have been done is to use the AUDIT_SET and AUDIT_GET commands. It
> > takes a bit map as the function to perform. We have only used 5 of the 32
> > bits.
> >
> > Do we really need another of the same thing?
>
> It's not the same thing. This is an interface designed for options
> which have 4 states. On/Off and Locked/Unlocked. It is certainly the
> right solution for that problem if we want to solve it generically.
> (look at what it did to the other code who wanted an on/off option)
>
> AUDIT_SET/GET was designed around setting a kernel variable to a single
> value. It does an ok job at this (although I'd argue that there could
> be a better design here as well, but we have this, so we live with it.)
> It certainly does not form naturally to the 4 states of the new
> interface.
I did some more digging. I guess the GET/SET interface is limited. Setting
values could be done by reusing one of the places in the struct, but then
getting the values would be a problem.
So, how is user space supposed to detect that the kernel supports this
interface? What I have needed for years is a way to ask the kernel what
features it currently contains. For example, if you try to use interfield
comparisons and the kernel doesn't support it, I get an EINVAL and bounce that
to the user. What would be better is if I could ask the kernel what features
it contains and then I can not send the interfield comparison but output a
message saying the current kernel does not support this feature.
> I can certainly shoehorn a 4 state interface into AUDIT_SET/GET.
Does the new interface support more than 4 a state variable? Suppose we need
to set a number value like 8192, will it do that?
-Steve
More information about the Linux-audit
mailing list