Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Tuesday, March 13, 2018 8:35:44 PM EDT Andy Lutomirski wrote: > On Wed, Mar 14, 2018 at 12:28 AM, Jiri Kosina wrote: > > On Wed, 14 Mar 2018, Andy Lutomirski wrote: > >> > Yes...I wished I was in on the beginning of this discussion. Here's > >> > the > >> > problem. We need

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Tuesday, March 13, 2018 8:35:44 PM EDT Andy Lutomirski wrote: > On Wed, Mar 14, 2018 at 12:28 AM, Jiri Kosina wrote: > > On Wed, 14 Mar 2018, Andy Lutomirski wrote: > >> > Yes...I wished I was in on the beginning of this discussion. Here's > >> > the > >> > problem. We need all tasks auditable

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Tuesday, March 13, 2018 8:28:57 PM EDT Jiri Kosina wrote: > On Wed, 14 Mar 2018, Andy Lutomirski wrote: > > > Yes...I wished I was in on the beginning of this discussion. Here's the > > > problem. We need all tasks auditable unless specifically dismissed as > > > uninteresting. This would be a

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Tuesday, March 13, 2018 8:28:57 PM EDT Jiri Kosina wrote: > On Wed, 14 Mar 2018, Andy Lutomirski wrote: > > > Yes...I wished I was in on the beginning of this discussion. Here's the > > > problem. We need all tasks auditable unless specifically dismissed as > > > uninteresting. This would be a

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 14, 2018 at 12:28 AM, Jiri Kosina wrote: > On Wed, 14 Mar 2018, Andy Lutomirski wrote: > >> > Yes...I wished I was in on the beginning of this discussion. Here's the >> > problem. We need all tasks auditable unless specifically dismissed as >> > uninteresting. This

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 14, 2018 at 12:28 AM, Jiri Kosina wrote: > On Wed, 14 Mar 2018, Andy Lutomirski wrote: > >> > Yes...I wished I was in on the beginning of this discussion. Here's the >> > problem. We need all tasks auditable unless specifically dismissed as >> > uninteresting. This would be a

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, 14 Mar 2018, Andy Lutomirski wrote: > > Yes...I wished I was in on the beginning of this discussion. Here's the > > problem. We need all tasks auditable unless specifically dismissed as > > uninteresting. This would be a task,never rule. > > > > The way we look at it, is if it boots with

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, 14 Mar 2018, Andy Lutomirski wrote: > > Yes...I wished I was in on the beginning of this discussion. Here's the > > problem. We need all tasks auditable unless specifically dismissed as > > uninteresting. This would be a task,never rule. > > > > The way we look at it, is if it boots with

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Sat, Mar 10, 2018 at 10:15 AM, Steve Grubb wrote: > On Wed, 7 Mar 2018 18:43:42 -0500 > Paul Moore wrote: >> ... and I just realized that linux-audit isn't on the To/CC line, >> adding them now. >> >> Link to the patch is below. >> >> *

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Sat, Mar 10, 2018 at 10:15 AM, Steve Grubb wrote: > On Wed, 7 Mar 2018 18:43:42 -0500 > Paul Moore wrote: >> ... and I just realized that linux-audit isn't on the To/CC line, >> adding them now. >> >> Link to the patch is below. >> >> * https://marc.info/?t=15204188763=1=2 > > Yes...I

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, 7 Mar 2018 18:43:42 -0500 Paul Moore wrote: > ... and I just realized that linux-audit isn't on the To/CC line, > adding them now. > > Link to the patch is below. > > * https://marc.info/?t=15204188763=1=2 Yes...I wished I was in on the beginning of this

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, 7 Mar 2018 18:43:42 -0500 Paul Moore wrote: > ... and I just realized that linux-audit isn't on the To/CC line, > adding them now. > > Link to the patch is below. > > * https://marc.info/?t=15204188763=1=2 Yes...I wished I was in on the beginning of this discussion. Here's the

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On 2018-03-08 06:30, Andy Lutomirski wrote: > > > > On Mar 8, 2018, at 1:12 AM, Richard Guy Briggs wrote: > > > >> On 2018-03-07 18:43, Paul Moore wrote: > >>> On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > On Wed, Mar 7, 2018 at 11:48 AM, Jiri

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On 2018-03-08 06:30, Andy Lutomirski wrote: > > > > On Mar 8, 2018, at 1:12 AM, Richard Guy Briggs wrote: > > > >> On 2018-03-07 18:43, Paul Moore wrote: > >>> On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > > On Wed, 7 Mar

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

> On Mar 8, 2018, at 1:12 AM, Richard Guy Briggs wrote: > >> On 2018-03-07 18:43, Paul Moore wrote: >>> On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > On Wed, 7 Mar 2018,

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

> On Mar 8, 2018, at 1:12 AM, Richard Guy Briggs wrote: > >> On 2018-03-07 18:43, Paul Moore wrote: >>> On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > On Wed, 7 Mar 2018, Andy Lutomirski wrote: > Wow, this was a long time

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On 2018-03-07 18:43, Paul Moore wrote: > On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: > >>> Wow, this was a long time ago. > >> > >> Oh yeah; but it

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On 2018-03-07 18:43, Paul Moore wrote: > On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: > >>> Wow, this was a long time ago. > >> > >> Oh yeah; but it now resurfaced on our side, as we are

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 7, 2018 at 11:41 PM, Paul Moore wrote: > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: >>> Wow, this was a long time ago. >> >> Oh yeah; but it now resurfaced on our side, as we are of course

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 7, 2018 at 11:41 PM, Paul Moore wrote: > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: >>> Wow, this was a long time ago. >> >> Oh yeah; but it now resurfaced on our side, as we are of course receiving >> a lot of requests with

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: >>> Wow, this was a long time ago. >> >> Oh yeah; but it now resurfaced on our side, as we are of course

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 7, 2018 at 6:41 PM, Paul Moore wrote: > On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: >> On Wed, 7 Mar 2018, Andy Lutomirski wrote: >>> Wow, this was a long time ago. >> >> Oh yeah; but it now resurfaced on our side, as we are of course receiving >> a lot of requests with

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > On Wed, 7 Mar 2018, Andy Lutomirski wrote: >> Wow, this was a long time ago. > > Oh yeah; but it now resurfaced on our side, as we are of course receiving > a lot of requests with respect to making syscall performance great

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 7, 2018 at 11:48 AM, Jiri Kosina wrote: > On Wed, 7 Mar 2018, Andy Lutomirski wrote: >> Wow, this was a long time ago. > > Oh yeah; but it now resurfaced on our side, as we are of course receiving > a lot of requests with respect to making syscall performance great again > :) Ooof.

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, 7 Mar 2018, Andy Lutomirski wrote: > Wow, this was a long time ago. Oh yeah; but it now resurfaced on our side, as we are of course receiving a lot of requests with respect to making syscall performance great again :) > From memory and a bit of email diving, there are two reasons. >

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, 7 Mar 2018, Andy Lutomirski wrote: > Wow, this was a long time ago. Oh yeah; but it now resurfaced on our side, as we are of course receiving a lot of requests with respect to making syscall performance great again :) > From memory and a bit of email diving, there are two reasons. >

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 7, 2018 at 10:32 AM, Jiri Kosina wrote: > From: Jiri Kosina > > There is no point going through all the audit slow path syscall entry/exit > in case the audit daemon is running, but hasn't populated the audit filter > with any rules whatsoever. > >

Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

On Wed, Mar 7, 2018 at 10:32 AM, Jiri Kosina wrote: > From: Jiri Kosina > > There is no point going through all the audit slow path syscall entry/exit > in case the audit daemon is running, but hasn't populated the audit filter > with any rules whatsoever. > > Only set TIF_AUDIT_SYSCALL in case

[PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

From: Jiri Kosina There is no point going through all the audit slow path syscall entry/exit in case the audit daemon is running, but hasn't populated the audit filter with any rules whatsoever. Only set TIF_AUDIT_SYSCALL in case the number of populated audit rules is

[PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated

From: Jiri Kosina There is no point going through all the audit slow path syscall entry/exit in case the audit daemon is running, but hasn't populated the audit filter with any rules whatsoever. Only set TIF_AUDIT_SYSCALL in case the number of populated audit rules is non-zero.