[PATCH 1/1] audit: Add new syscalls to the perm=w filter
Paul Moore
paul at paul-moore.com
Mon Oct 16 19:35:49 UTC 2017
On Mon, Oct 16, 2017 at 3:18 PM, Paul Moore <paul at paul-moore.com> wrote:
> On Mon, Oct 16, 2017 at 3:10 PM, Paul Moore <paul at paul-moore.com> wrote:
>> On Thu, Oct 12, 2017 at 11:24 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>>> The audit subsystem allows selecting audit events based on watches for
>>> a particular behavior like writing to a file. A lot of syscalls have
>>> been added without updating the list. This patch adds 2 syscalls to the
>>> write filters: fallocate and renameat2.
>>>
>>> Signed-off-by: sgrubb <sgrubb at redhat.com>
One more one more thing ;)
You are supposed to use your "Full Name" and not a username, see
Documentation/process/5.Posting.rst
for more information. I'm going to go ahead and substitute "Steve
Grubb" because that is how you are sending your emails, but please
correct this in the future; sign-off lines are very important.
>>> ---
>>> include/asm-generic/audit_dir_write.h | 4 ++++
>>> include/asm-generic/audit_write.h | 3 +++
>>> 2 files changed, 7 insertions(+)
>>
>> FWIW, I expect that this syscall list is almost always going to be out
>> of date; it's just the way this feature is designed. That doesn't
>> mean I'm not going to merge fixes, I just want to make sure
>> expectations are set accordingly.
>>
>> Before I merge this Steve, can you explain why fallocate() should be
>> on the write list? It doesn't actually write any user data to disk,
>> it actually doesn't write anything, all it does is play with the
>> amount of space allocated for the given fd on the storage device. I
>> don't really care either way, this just struck me as odd and I want to
>> make sure you have a good reason (hint: add it to the patch
>> description).
>
> Oh, one more thing; it's administrative and not tied to a particular
> patch ... there is no need to add write "PATCH 1/1" when there is just
> one patch, a simple "PATCH" is sufficient. The extra "1/1" just adds
> a bit of extra work as I need to clean it up before merging; it's not
> a big deal, but if I still see you doing it a month from now I may
> have to get a bit salty ;)
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list