Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values

From: Paul Moore
Date: Fri Aug 07 2015 - 10:22:24 EST


On Thursday, August 06, 2015 02:31:57 PM Casey Schaufler wrote:
> I remember the Orange Book days when we were *required* to audit by
> dev/inode because it was the only true way to identify the object. Yes,
> it's analogous to auditing the pid, but we had to audit by that, too. The
> dev/indode and pid are the "true" names. Anything else is a hint at what
> you're looking at. I can easily imaging someone who really cares about the
> audit data supplying the dev/inode and pid.

Just to add a bit of clarity, my original question was if there was any value
in exposing the unset/invalid device and inode values, e.g. -1. While I agree
that there is value in auditing by dev/inode, I can't think of a reasonable
situation where the user would need to pass an unset/invalid device and/or
inode value into the kernel as part of an audit configuration command.

--
paul moore
security @ redhat

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/