Re: [PATCH] audit: set TIF_AUDIT_SYSCALL only if audit filter has been populated
On Wed, 14 Mar 2018, Andy Lutomirski wrote:
> Yes...I wished I was in on the beginning of this discussion.
Here's the
> problem. We need all tasks auditable unless specifically dismissed as
> uninteresting. This would be a task,never rule.
>
> The way we look at it, is if it boots with audit=1, then we know auditd
> is expected to run at some point. So, we need all tasks to stay
> auditable. If they weren't and auditd enabled auditing, then we'd need
> to walk the whole proctable and stab TIF_AUDIT_SYSCALL into every
> process in the system. It was decided that this is too ugly.
When was that decided? That's what this patch does.
I'd like to see some more justification as well.
Namely, if I compare "setting TIF_AUDIT_SYSCALL for every process on a
need-to-be-so basis" to "we always go through the slow path and
pessimistically assume that audit is enabled and has reasonable ruleset
loaded", I have my own (different) opinion of what is too ugly.
Thanks,
--
Jiri Kosina
SUSE Labs