[PATCH] filter: add path filter with fstype

Paul Moore paul at paul-moore.com
Tue Jun 13 14:49:21 UTC 2017 

On Mon, Jun 12, 2017 at 10:45 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2017-06-12 20:28, Steve Grubb wrote:
>> Hello,
>
> Hi (swapping in this task after > 2 months...)
>
>> This patch needs to be refactored to match the current count of error messages
>> in err_msgtab.
>>
>> What error message is emitted when run on a kernel that does not support the
>> new filter?
>
> -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.)
>
>> On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote:
>> > Tracefs or debugfs were causing hundreds to thousands of PATH records to
>> > be associated with the init_module and finit_module SYSCALL records on a
>> > few modules when the following rule was in place for startup:
>> >         -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
>> >
>> > Add the new "path" filter list anchored in __audit_inode_child() to
>> > filter out PATH records from uninteresting filesystem types, "fstype",
>> > keying on their kernel hexadecimal 4-octet magic identifier.
>> >
>> > An example rule would look like:
>> >     -a never,path -F fstype=0x74726163 -F key=ignore_tracefs
>> >     -a never,path -F fstype=0x64626720 -F key=ignore_debugfs
>>
>> Are we sure path is the best name for this filter? Is there something more
>> precise like filesystem?
>
> It is filesystem type that we are filtering, but there may be a use case
> to filter on another factor later, so like the "type" filter that really
> is the "exclude" filter, let's not make that mistake again.
>
> I wrestled with that for a while and kept coming back to "path" filter
> due to the fact that it was a path record that was affected.  At the
> moment it is only active on audit_inode_child, but I could potentially
> see it being active on audit_inode as well.

FWIW, I too struggled a bit with that name when looking at the kernel
code.  I'm not a fan of "path" in this case, but I can't think of
anything substantially better.

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list