Re: [PATCH] filter: add path filter with fstype

On 2017-06-12 20:28, Steve Grubb wrote: > Hello, Hi (swapping in this task after > 2 months...) > This patch needs to be refactored to match the current count of error messages > in err_msgtab. > > What error message is emitted when run on a kernel that does not support the > new filter? -36 (which needs re-checking now that ghau12/ghau21pr has been reworked.) > On Tuesday, April 4, 2017 6:40:18 AM EDT Richard Guy Briggs wrote: > > Tracefs or debugfs were causing hundreds to thousands of PATH records to > > be associated with the init_module and finit_module SYSCALL records on a > > few modules when the following rule was in place for startup: > > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load > > > > Add the new "path" filter list anchored in __audit_inode_child() to > > filter out PATH records from uninteresting filesystem types, "fstype", > > keying on their kernel hexadecimal 4-octet magic identifier. > > > > An example rule would look like: > > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs > > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs > > Are we sure path is the best name for this filter? Is there something more > precise like filesystem? It is filesystem type that we are filtering, but there may be a use case to filter on another factor later, so like the "type" filter that really is the "exclude" filter, let's not make that mistake again. I wrestled with that for a while and kept coming back to "path" filter due to the fact that it was a path record that was affected. At the moment it is only active on audit_inode_child, but I could potentially see it being active on audit_inode as well.