On Fri, Apr 6, 2018 at 7:53 AM, Richard Guy Briggs <r...@redhat.com> wrote: > On 2018-04-06 13:10, Ondrej Mosnacek wrote: >> 2018-04-06 12:37 GMT+02:00 Richard Guy Briggs <r...@redhat.com>: >> > On 2018-04-06 10:43, Ondrej Mosnacek wrote: >> >> Current implementation of auditing by executable name only implements >> >> the 'equal' operator. This patch extends it to also support the 'not >> >> equal' operator. >> >> >> >> See: https://github.com/linux-audit/audit-kernel/issues/53 >> >> >> >> Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com> >> >> --- >> >> >> >> Hi Paul, >> >> >> >> this turned out to be easier than I anticipated so I'm sending the patch >> >> already :) I hope I got everything right. Note that the userspace tools >> >> also need to be updated to check the feature bit and allow/disallow the >> >> operator based on that. >> > >> > Do we really need to eat up a feature bit for this? The kernel will >> > simply return -EINVAL if it isn't supported. That will make userspace >> > implementation easier. >> >> The problem then would be that if someone tried to use the not equal >> operator on an older kernel, he would get some generic error message >> instead of the current "exe only takes = operator". > > You are right. I'm just not sure it is worth spending a feature bit on > it.
We've gotten a bit carried away with our use of the feature bits and we need to start engaging in a bit more discipline when it comes to our feature bit "spending". Ondrej, let's implement this without the feature bit. While I agree the generic error message isn't extremely useful, it still generates a "safe" error condition that is transmitted back to the user. Other than that, I think the patch looked fine to me; resend it and I'll apply it once the merge window closes. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linuxfirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/linux-audit