[PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text
Eric Paris
eparis at redhat.com
Thu May 29 02:09:27 UTC 2014
NAK
On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote:
> Here are some issues with the code:
> - It thinks that syscalls have four arguments.
Not true at all. It records the registers that would hold the first 4
entries on syscall entry, for use later if needed, as getting those
later on some arches is not feasible (see ia64). It makes no assumption
about how many syscalls a function has.
> - It's a performance disaster.
Only if you enable it. If you don't use audit it is a single branch.
Hardly a disaster.
> - It assumes that syscall numbers are between 0 and 2048.
There could well be a bug here. Not questioning that. Although that
would be patch 1/2
> - It's unclear whether it's supposed to be reliable.
Unclear to whom?
> - It's broken on things like x32.
> - It can't support ARM OABI.
Some arches aren't supported? And that makes it BROKEN?
> - Its approach to freeing memory is terrifying.
What?
None of your reasons hold water. Bugs need to be fixed. Try reporting
them... This is just stupid.
> Signed-off-by: Andy Lutomirski <luto at amacapital.net>
> ---
> init/Kconfig | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/init/Kconfig b/init/Kconfig
> index 9d3585b..24d4b53 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -296,13 +296,16 @@ config HAVE_ARCH_AUDITSYSCALL
> bool
>
> config AUDITSYSCALL
> - bool "Enable system-call auditing support"
> - depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
> + bool "Enable system-call auditing support (not recommended)"
> + depends on AUDIT && HAVE_ARCH_AUDITSYSCALL && BROKEN
> default y if SECURITY_SELINUX
> help
> - Enable low-overhead system-call auditing infrastructure that
> - can be used independently or with another kernel subsystem,
> - such as SELinux.
> + Enable system-call auditing infrastructure that can be used
> + independently or with another kernel subsystem, such as
> + SELinux.
> +
> + AUDITSYSCALL has serious performance and correctness issues.
> + Use it with extreme caution.
>
> config AUDIT_WATCH
> def_bool y
More information about the Linux-audit
mailing list