On Wed, Jul 17, 2019 at 12:36 AM James Morris <[email protected]> wrote: > On Tue, 16 Jul 2019, Paul Moore wrote: > > > The subj_X approach is still backwards compatible, the difference is > > that old versions of the tools get a "?" for the LSM creds which is a > > rather sane way of indicating something is different. > > This will still break existing userspace, right? We can't do that.
Trust me, I don't want to break userspace, I wouldn't be suggesting that. The subj_X approach would cause userspace to see a "?" for the LSM creds when looking at logs from a stacked-LSM system. I would argue this is actually safer than the multiplexed approach as "?" is a safe sentinel used by the audit subsystem when the value can't be determined; the multiplexed label in the hands of legacy userspace tools would be confusing at best, and misleading at worst. > > Once again, I believe that the subj_X approach is going to be faster > > than safely parsing the multiplexed format. > > What about emitting one audit record for each LSM? In many of the LSM generated audit events that is what would happen, and should just work. What we've been discussing in all the cases where the audit event is generated outside the context of the LSM but the LSM credentials are still desirable bits of information. While we are definitely going in the direction of making multiple record events more common, duplicating the same record, with only changes to the LSM creds, may end up confusing Steve's tools. It would also end up bloating the audit log, which I know is something everyone wants to avoid. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
