Re: [PATCH ALT4 V2 2/2] audit: filter PATH records keyed on filesystem magic

On 2017-05-30 17:30, Paul Moore wrote: > On Tue, Apr 4, 2017 at 5:21 AM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > > Tracefs or debugfs were causing hundreds to thousands of PATH records to > > be associated with the init_module and finit_module SYSCALL records on a > > few modules when the following rule was in place for startup: > > -a always,exit -F arch=x86_64 -S init_module -F key=mod-load > > > > Provide a method to ignore these large number of PATH records from > > overwhelming the logs if they are not of interest. Introduce a new > > filter list "AUDIT_FILTER_PATH", with a new field type AUDIT_FSTYPE, > > which keys off the filesystem 4-octet hexadecimal magic identifier to > > filter specific filesystem PATH records. > > > > An example rule would look like: > > -a never,path -F fstype=0x74726163 -F key=ignore_tracefs > > -a never,path -F fstype=0x64626720 -F key=ignore_debugfs > > Trying to look into the future I wonder if we are ever going to need > to expand the "path" filtering to regular inode lookups, e.g. > audit_inode()? That thought had occurred to me. Do you see any concern with that that would affect this patch in terms of naming?

I could see expanding this filter to include other filter fields though nothing specific comes to mind now.