On Mon, Jan 13, 2014 at 6:56 PM, Eric Paris <epa...@redhat.com> wrote: > We have a helper function which writes out all of the interesting > identity information about tasks, audit_log_task_info(). We then have a > second helper, audit_log_task(), which is only used by audit_core_dumps() > and __audit_seccomp(). It is a light weight and only outputs some of the > information about the task. There does not appear to be rational for > its existence except audit_core_dumps() originally did it this way. At > the time audit_log_task_info() did not exist. When __audit_seccomp came > along audit_core_dumps() was split into this helper and reused. But > there was a better helper in audit.c. > > This does reorder the records for audit_core_dumps() and > __audit_seccomp(). The new record order is below. The number in () is > the order in the old record. Entries without a () do not exist in the > old record. > > audit_log_task_info: > ppid pid (6) auid (1) uid (2) gid (3) euid > suid fsuid egid sgid fsgid tty > ses (4) comm (7) exe (8) subj (5) > > audit_log_task: > auid uid gid ses subj pid comm exe > > It seems that reusing the task info pattern throughout records should > allow for faster simpler more streamlined userspace records parsing, but > changing order like this might be a deal breaker. > > Signed-off-by: Eric Paris <epa...@redhat.com>
Sounds fine to me. Thanks! Acked-by: Kees Cook <keesc...@chromium.org> -Kees -- Kees Cook Chrome OS Security -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
