On Mon, Oct 16, 2017 at 3:10 PM, Paul Moore <p...@paul-moore.com> wrote: > On Thu, Oct 12, 2017 at 11:24 PM, Steve Grubb <sgr...@redhat.com> wrote: >> The audit subsystem allows selecting audit events based on watches for >> a particular behavior like writing to a file. A lot of syscalls have >> been added without updating the list. This patch adds 2 syscalls to the >> write filters: fallocate and renameat2. >> >> Signed-off-by: sgrubb <sgr...@redhat.com> >> --- >> include/asm-generic/audit_dir_write.h | 4 ++++ >> include/asm-generic/audit_write.h | 3 +++ >> 2 files changed, 7 insertions(+) > > FWIW, I expect that this syscall list is almost always going to be out > of date; it's just the way this feature is designed. That doesn't > mean I'm not going to merge fixes, I just want to make sure > expectations are set accordingly. > > Before I merge this Steve, can you explain why fallocate() should be > on the write list? It doesn't actually write any user data to disk, > it actually doesn't write anything, all it does is play with the > amount of space allocated for the given fd on the storage device. I > don't really care either way, this just struck me as odd and I want to > make sure you have a good reason (hint: add it to the patch > description).
Oh, one more thing; it's administrative and not tied to a particular patch ... there is no need to add write "PATCH 1/1" when there is just one patch, a simple "PATCH" is sufficient. The extra "1/1" just adds a bit of extra work as I need to clean it up before merging; it's not a big deal, but if I still see you doing it a month from now I may have to get a bit salty ;) -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit