Re: [RFC PATCH ghak9 1/3] audit: Add AUDIT_FD_PATH auxiliary record type
On Fri, Jul 13, 2018 at 4:53 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2018-07-12 13:36, Ondrej Mosnacek wrote:
> This new record type is used to log the full path corresponding to some
> important file descriptor used in a syscall.
>
> Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
> ---
> include/uapi/linux/audit.h | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 4e3eaba84175..d60041ae34a8 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -114,6 +114,7 @@
> #define AUDIT_REPLACE 1329 /* Replace auditd if this packet
unanswerd */
> #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
> #define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
> +#define AUDIT_FD_PATH 1334 /* File descriptor path info */
The final message type number depends on other work in flight which may
or may not be accepted first, so don't count on this one being the
final. Having said that, we usually use the next number in sequence
unless there is a hard dependence on another patchset.
This will be the maintainer's job to juggle all these when they are
merged upstream. Unfortunately, that will make more work for the
corresponding user library patches that help identify this record type.
Of course, I set it to a different number mainly for easier testing on
my side, I can set it to (previous+1) in the later "production-ready"
patchsets.
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.