Re: [PATCH] audit: reserve a numerical code for AUDIT_ANOM_PATCHED

On Mon, Sep 4, 2017 at 4:27 AM, Vegard Nossum <vegard.nossum(a)oracle.com&gt; wrote: > A few years ago, I suggested a feature dubbed "known exploit detection". > This feature defines an interface that allows kernel developers to add > a tripwire for somebody who tries to exploit a known security hole in > older versions of the kernel. See [1] for an article and the original > discussion. > > [1]: https://lwn.net/Articles/577432/ > > Due to the somewhat controversial nature of this feature, I never pushed > very hard for it to go upstream. However, regardless of whether this code > ever makes it upstream, it would still be useful to reserve a numerical > code for the audit message in order to ensure that private deployments > never conflicts with future upstream kernels. > > I hereby request the reservation of AUDIT_ANOM_PATCHED as code 1703. This > message should be used when userspace makes a request which in previous > (unpatched) versions of the kernel would have allowed the process to > illicitly gain privileges (e.g. arbitrary code execution, etc.). > > Signed-off-by: Vegard Nossum <vegard.nossum(a)oracle.com&gt; > --- > include/uapi/linux/audit.h | 1 + > 1 file changed, 1 insertion(+) In general I'm opposed to reserving audit message IDs for kernel code that hasn't been accepted upstream and I don't yet see a compelling reason to do so here.