[RFC PATCH ghak9 1/3] audit: Add AUDIT_FD_PATH auxiliary record type

Ondrej Mosnacek omosnace at redhat.com
Mon Jul 16 08:19:02 UTC 2018 

On Fri, Jul 13, 2018 at 4:53 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2018-07-12 13:36, Ondrej Mosnacek wrote:
> > This new record type is used to log the full path corresponding to some
> > important file descriptor used in a syscall.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> > ---
> >  include/uapi/linux/audit.h | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 4e3eaba84175..d60041ae34a8 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -114,6 +114,7 @@
> >  #define AUDIT_REPLACE                1329    /* Replace auditd if this packet unanswerd */
> >  #define AUDIT_KERN_MODULE    1330    /* Kernel Module events */
> >  #define AUDIT_FANOTIFY               1331    /* Fanotify access decision */
> > +#define AUDIT_FD_PATH                1334    /* File descriptor path info */
>
> The final message type number depends on other work in flight which may
> or may not be accepted first, so don't count on this one being the
> final.  Having said that, we usually use the next number in sequence
> unless there is a hard dependence on another patchset.
>
> This will be the maintainer's job to juggle all these when they are
> merged upstream.  Unfortunately, that will make more work for the
> corresponding user library patches that help identify this record type.

Of course, I set it to a different number mainly for easier testing on
my side, I can set it to (previous+1) in the later "production-ready"
patchsets.

>
> >  #define AUDIT_AVC            1400    /* SE Linux avc denial or grant */
> >  #define AUDIT_SELINUX_ERR    1401    /* Internal SE Linux Errors */
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.

More information about the Linux-audit mailing list