On Mon, Oct 17, 2016 at 11:40 AM, Richard Guy Briggs <r...@redhat.com> wrote: > On 2016-10-11 18:15, Paul Moore wrote: >> Looking back through the git logs, it looks like it originally came >> out of the user namespace work by Eric Biederman. > > That's exactly where it came from. Eric submitted the patch 780a7654 to > fix the regression caused by e1760bd (userns: Convert the audit loginuid > to be a kuid) and its set of 9 patches that were part of a 41-patch set. > I notice Paul was Cc:-ed on that set...
I don't have the time to dig through my mail to see what all was included in that patchset, but based on the git log that patch was from April 2013 and I didn't become responsible for the audit code until October 2014. I also don't see my Acked-by/Reviewed-by tag on that commit so it is safe to say I was busy with other things at the time. There are plenty of things you can blame me for, this ain't one of 'em. > I had to work around the work > around when Steve reported the "f24=..." values. > > I can accept that Steve doesn't want to add more ways of doing the same > thing, so I don't have an easy answer in terms of AUDIT_LOGINUID_SET > being exposed in the UAPI. > > Since sessionid is a new field for filter specification (but not > reporting and searching), I blocked sessionid==-1 in the api for setting > filters. This unfortunately makes it a different way to specify it than > loginuid when it is not set. We are not going to change the loginuid related mechanisms at this point; they aren't causing any breakage, and I don't want to break the existing kernel/user API without a good reason. We haven't merged any of the session ID code into the kernel so changes are still possible. The logic for supporting loginuid_set (UID namespace issues) don't really apply to session IDs so I think we can drop the sessionid_set part of the API and just use the -1 sentinel. If you are all still looking to blame somebody, you can all blame me for suggesting session ID to Richard. Richard, if we use -1 as a magic number for the session ID, we should make sure we roll the session ID value assigned to new sessions before we hit -1 in audit_set_loginuid(...). -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit