On Mon, Jun 12, 2017 at 10:45 PM, Richard Guy Briggs <[email protected]> wrote: > On 2017-06-12 20:28, Steve Grubb wrote: >> Hello, > > Hi (swapping in this task after > 2 months...) > >> This patch needs to be refactored to match the current count of error >> messages >> in err_msgtab. >> >> What error message is emitted when run on a kernel that does not support the >> new filter? > > -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.) > >> On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote: >> > Tracefs or debugfs were causing hundreds to thousands of PATH records to >> > be associated with the init_module and finit_module SYSCALL records on a >> > few modules when the following rule was in place for startup: >> > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load >> > >> > Add the new "path" filter list anchored in __audit_inode_child() to >> > filter out PATH records from uninteresting filesystem types, "fstype", >> > keying on their kernel hexadecimal 4-octet magic identifier. >> > >> > An example rule would look like: >> > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs >> > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs >> >> Are we sure path is the best name for this filter? Is there something more >> precise like filesystem? > > It is filesystem type that we are filtering, but there may be a use case > to filter on another factor later, so like the "type" filter that really > is the "exclude" filter, let's not make that mistake again. > > I wrestled with that for a while and kept coming back to "path" filter > due to the fact that it was a path record that was affected. At the > moment it is only active on audit_inode_child, but I could potentially > see it being active on audit_inode as well.
FWIW, I too struggled a bit with that name when looking at the kernel code. I'm not a fan of "path" in this case, but I can't think of anything substantially better. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
