[PATCH ghak122 v1] audit: store event sockaddr in case of no rules
Paul Moore
paul at paul-moore.com
Tue Jul 14 01:19:24 UTC 2020
On Mon, Jul 13, 2020 at 9:08 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2020-07-13 20:11, Paul Moore wrote:
> > On Mon, Jul 13, 2020 at 7:09 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> > > ... but it does appear that I could switch to using your audit_alloc_local().
> >
> > In my opinion, linking the audit container ID and LSM stacking
> > patchsets would seem like a very big mistake, especially since the
> > consolidation you are describing could be done after the fact without
> > any disruption to the kernel/userspace interface. I would strongly
> > encourage both patchsets to remain self-contained if at all possible
> > so as to not jeopardize each other.
>
> I see no need to link them. The audit_alloc_local() patch could stand
> on its own to be used by either patchset and doesn't need to be included
> in the contid patchset. There is no mention of contid in it. Patches 8
> and 11 depend on it so as long as it is already upstream that's fine.
Let me be clear, please don't do this. I really dislike that we need
audit_alloc_local(), but we do because computers are awful things and
audit is perhaps even more awful.
Someday I'll make my peace with audit_alloc_local(), and/or it will
become something more useful through consolidation, but now is not the
time to push on this issue considering where the audit container ID
patchset is at.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list