[PATCH 1/1] audit: Add new syscalls to the perm=w filter
Paul Moore
paul at paul-moore.com
Mon Oct 16 19:18:34 UTC 2017
On Mon, Oct 16, 2017 at 3:10 PM, Paul Moore <paul at paul-moore.com> wrote:
> On Thu, Oct 12, 2017 at 11:24 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>> The audit subsystem allows selecting audit events based on watches for
>> a particular behavior like writing to a file. A lot of syscalls have
>> been added without updating the list. This patch adds 2 syscalls to the
>> write filters: fallocate and renameat2.
>>
>> Signed-off-by: sgrubb <sgrubb at redhat.com>
>> ---
>> include/asm-generic/audit_dir_write.h | 4 ++++
>> include/asm-generic/audit_write.h | 3 +++
>> 2 files changed, 7 insertions(+)
>
> FWIW, I expect that this syscall list is almost always going to be out
> of date; it's just the way this feature is designed. That doesn't
> mean I'm not going to merge fixes, I just want to make sure
> expectations are set accordingly.
>
> Before I merge this Steve, can you explain why fallocate() should be
> on the write list? It doesn't actually write any user data to disk,
> it actually doesn't write anything, all it does is play with the
> amount of space allocated for the given fd on the storage device. I
> don't really care either way, this just struck me as odd and I want to
> make sure you have a good reason (hint: add it to the patch
> description).
Oh, one more thing; it's administrative and not tied to a particular
patch ... there is no need to add write "PATCH 1/1" when there is just
one patch, a simple "PATCH" is sufficient. The extra "1/1" just adds
a bit of extra work as I need to clean it up before merging; it's not
a big deal, but if I still see you doing it a month from now I may
have to get a bit salty ;)
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list