On 14/10/29, Eric Paris wrote: > On Wed, 2014-10-29 at 17:54 -0400, Richard Guy Briggs wrote: > > On 14/10/29, Steve Grubb wrote: > > > On Wednesday, October 29, 2014 03:48:40 PM Richard Guy Briggs wrote: > > > > On 14/10/21, Paul Moore wrote: > > > > > > > Can anyone think of anything else that might be affected by this? > > > > > > > > > > > > No one uses this stuff, just change it. > > > > > > > > > > Yes, but I feel like I need to at least ask the question; how much > > > > > attention I pay to the answers is something else ... > > > > > > > > I'm still skeptical this won't blow up... Like the capabilities bitmap > > > > did. I suspect there isn't agreement on what constitutes a feature. > > > > > > Anything major that user space would have to know about to determine if > > > its > > > supported. If you don't know, just ask if we need to add a bit to the > > > bitmap. > > > Some examples, adding the object comparison engine, adding the loginuid- > > > immutable feature, if we added filtering on TTY that would also qualify > > > (not > > > asking for that). Otherwise, user space get EINVAL on the netlink > > > operation > > > which is not useful in explaining why the command was rejected. > > > > Well, I guess this falls under Linus' "thou shalt not break userspace", > > but it would certainly be tempting to change some of those to > > EOPNOTSUPP. > > You only break userspace if something breaks :)
So which scratch monkey do we mount before sending it upstream? We saw how actually allowing CAP_AUDIT_WRITE from non-init PID namespaces backfired on us in stuff which didn't use audit before... - RGB -- Richard Guy Briggs <rbri...@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit