Re: [PATCH] audit: add feature audit_lost reset
On Wednesday, January 11, 2017 11:19:42 PM EST Richard Guy Briggs wrote:
> OK. the code to support this is in svn. However, since we
didn't use a
> feature bit like we normally do, there is absolutely no way to report
> that the underlying kernel does not support this. It quietly fails and
> pretends everything is fine. I'd prefer that we had a feature bit to
> output a proper error message.
Do you still want to switch to CONFIG_CHANGE? (I think that is a good
idea.)
Sure.
I agree detecting this feature is a destructive operation requiring
an
existing lost count and checking the positive return code, but not
impossible, and would prefer a feature bit.
I'd prefer a feature bit so that I can tell people your kernel doesn't support
this. Audit runs on a large variety of kernels.
As for audit being immutable, I could see an argument to have this
feature usable even though the config is locked. What's your take?
I can see value in resetting the count even when immutable. Perhaps just use
its logging function. So we don't have a new record type.
-Steve