[PATCH] audit: allow not equal op for audit by executable
Paul Moore
paul at paul-moore.com
Fri Apr 6 21:21:32 UTC 2018
On Fri, Apr 6, 2018 at 7:53 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2018-04-06 13:10, Ondrej Mosnacek wrote:
>> 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <rgb at redhat.com>:
>> > On 2018-04-06 10:43, Ondrej Mosnacek wrote:
>> >> Current implementation of auditing by executable name only implements
>> >> the 'equal' operator. This patch extends it to also support the 'not
>> >> equal' operator.
>> >>
>> >> See: https://github.com/linux-audit/audit-kernel/issues/53
>> >>
>> >> Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
>> >> ---
>> >>
>> >> Hi Paul,
>> >>
>> >> this turned out to be easier than I anticipated so I'm sending the patch
>> >> already :) I hope I got everything right. Note that the userspace tools
>> >> also need to be updated to check the feature bit and allow/disallow the
>> >> operator based on that.
>> >
>> > Do we really need to eat up a feature bit for this? The kernel will
>> > simply return -EINVAL if it isn't supported. That will make userspace
>> > implementation easier.
>>
>> The problem then would be that if someone tried to use the not equal
>> operator on an older kernel, he would get some generic error message
>> instead of the current "exe only takes = operator".
>
> You are right. I'm just not sure it is worth spending a feature bit on
> it.
We've gotten a bit carried away with our use of the feature bits and
we need to start engaging in a bit more discipline when it comes to
our feature bit "spending".
Ondrej, let's implement this without the feature bit. While I agree
the generic error message isn't extremely useful, it still generates a
"safe" error condition that is transmitted back to the user.
Other than that, I think the patch looked fine to me; resend it and
I'll apply it once the merge window closes.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list