On Fri, Apr 6, 2018 at 7:53 AM, Richard Guy Briggs <r...@redhat.com> wrote:
> On 2018-04-06 13:10, Ondrej Mosnacek wrote:
>> 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <r...@redhat.com>:
>> > On 2018-04-06 10:43, Ondrej Mosnacek wrote:
>> >> Current implementation of auditing by executable name only implements
>> >> the 'equal' operator. This patch extends it to also support the 'not
>> >> equal' operator.
>> >>
>> >> See: https://github.com/linux-audit/audit-kernel/issues/53
>> >>
>> >> Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com>
>> >> ---
>> >>
>> >> Hi Paul,
>> >>
>> >> this turned out to be easier than I anticipated so I'm sending the patch
>> >> already :) I hope I got everything right. Note that the userspace tools
>> >> also need to be updated to check the feature bit and allow/disallow the
>> >> operator based on that.
>> >
>> > Do we really need to eat up a feature bit for this?  The kernel will
>> > simply return -EINVAL if it isn't supported.  That will make userspace
>> > implementation easier.
>> The problem then would be that if someone tried to use the not equal
>> operator on an older kernel, he would get some generic error message
>> instead of the current "exe only takes = operator".
> You are right.  I'm just not sure it is worth spending a feature bit on
> it.

We've gotten a bit carried away with our use of the feature bits and
we need to start engaging in a bit more discipline when it comes to
our feature bit "spending".

Ondrej, let's implement this without the feature bit.  While I agree
the generic error message isn't extremely useful, it still generates a
"safe" error condition that is transmitted back to the user.

Other than that, I think the patch looked fine to me; resend it and
I'll apply it once the merge window closes.

paul moore

Linux-audit mailing list

Reply via email to