[PATCH 1/1] audit: Add new syscalls to the perm=w filter
Paul Moore
paul at paul-moore.com
Tue Oct 17 14:11:36 UTC 2017
On Mon, Oct 16, 2017 at 9:05 PM, Paul Moore <paul at paul-moore.com> wrote:
> On Mon, Oct 16, 2017 at 4:31 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>> On Monday, October 16, 2017 3:10:59 PM EDT Paul Moore wrote:
>>> On Thu, Oct 12, 2017 at 11:24 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>>> > The audit subsystem allows selecting audit events based on watches for
>>> > a particular behavior like writing to a file. A lot of syscalls have
>>> > been added without updating the list. This patch adds 2 syscalls to the
>>> > write filters: fallocate and renameat2.
>>> >
>>> > Signed-off-by: sgrubb <sgrubb at redhat.com>
>>> > ---
>>> >
>>> > include/asm-generic/audit_dir_write.h | 4 ++++
>>> > include/asm-generic/audit_write.h | 3 +++
>>> > 2 files changed, 7 insertions(+)
>>>
>>> FWIW, I expect that this syscall list is almost always going to be out
>>> of date; it's just the way this feature is designed. That doesn't
>>> mean I'm not going to merge fixes, I just want to make sure
>>> expectations are set accordingly.
>>
>> I understand...but we are years behind. I just wanted to close the gap on a
>> couple obvious syscalls since everyone else is busy with more important bugs.
>
> No worries, I'm perfectly fine with chipping away at things, I just
> wanted to make sure that people aren't expecting this to be current.
> The way it's designed I can almost guarantee it will always lag.
>
>>> I don't really care either way, this just struck me as odd and I want to
>>> make sure you have a good reason (hint: add it to the patch
>>> description).
>>
>> Understandable. But its close enough to ftruncate that I think it qualifies.
>
> That's fine, I didn't feel very strongly about it either way. I'll
> merge this tomorrow when I'm back in front of the system with my audit
> kernel repo.
Merged into audit/next.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list