On 2018-05-31 17:29, Steve Grubb wrote: > On Thursday, May 31, 2018 4:23:09 PM EDT Richard Guy Briggs wrote: > > The AUDIT_FILTER_TYPE name is vague and misleading due to not describing > > where or when the filter is applied and obsolete due to its available > > filter fields having been expanded. > > > > Userspace has already renamed it from AUDIT_FILTER_TYPE to > > AUDIT_FILTER_EXCLUDE without checking if it already exists. > > Historically speaking, this is not why it is the way it is. But I think it > doesn't mean that you cannot do something like this: > > #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
I was originally hoping to do that, but that then causes a build error on any previous version of audit userspace. > It's easy then to add a #ifndef to the userspace code so that there is an > easy migration. I also do not see any compiler warnings with the above in > both /usr/include/linux/audit.h and /usr/include/libaudit.h. I know it would be easy to fix and going forward userspace could adopt the kernel one with #ifndef AUDIT_FILTER_EXCL #define AUDIT_FILTER_EXCL AUDIT_FILTER_TYPE #endif I do have a minor preference for the shorter AUDIT_FILTER_EXCL. The only place in userspace that AUDIT_FILTER_TYPE is used is grabbing the value from the kernel to set AUDIT_FILTER_EXCLUDE, and in two bits of documentation (since that is the published API for libaudit). Might it make sense to still make AUDIT_FILTER_TYPE available for libaudit users, but change over the documentation to use one of the newer forms? > -Steve > > > In order to > > not cause userspace compile problems from duplicate definitions and to > > more accurately and inclusively rename it in the kernel, while providing > > a migration path for userspace, rename it to AUDIT_FILTER_EXCL. > > > > See: https://github.com/linux-audit/audit-kernel/issues/89 > > > > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > > --- > > include/uapi/linux/audit.h | 3 ++- > > kernel/audit.c | 2 +- > > kernel/auditfilter.c | 10 +++++----- > > 3 files changed, 8 insertions(+), 7 deletions(-) > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index 04f9bd2..45dd7ef 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -156,8 +156,9 @@ > > #define AUDIT_FILTER_ENTRY 0x02 /* Apply rule at syscall entry */ > > #define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */ > > #define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */ > > -#define AUDIT_FILTER_TYPE 0x05 /* Apply rule at audit_log_start */ > > +#define AUDIT_FILTER_EXCL 0x05 /* Apply rule at audit_log_start */ > > #define AUDIT_FILTER_FS 0x06 /* Apply rule at > > __audit_inode_child */ > > +#define AUDIT_FILTER_TYPE AUDIT_FILTER_EXCL /* obsolete misleading naming > > */ > > > > #define AUDIT_NR_FILTERS 7 > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 3a18e59..089cede 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -1754,7 +1754,7 @@ struct audit_buffer *audit_log_start(struct > > audit_context *ctx, gfp_t gfp_mask, if (audit_initialized != > > AUDIT_INITIALIZED) > > return NULL; > > > > - if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE))) > > + if (unlikely(!audit_filter(type, AUDIT_FILTER_EXCL))) > > return NULL; > > > > /* NOTE: don't ever fail/sleep on these two conditions: > > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > > index eaa3201..f17a42f5 100644 > > --- a/kernel/auditfilter.c > > +++ b/kernel/auditfilter.c > > @@ -264,7 +264,7 @@ static inline struct audit_entry > > *audit_to_entry_common(struct audit_rule_data * case AUDIT_FILTER_TASK: > > #endif > > case AUDIT_FILTER_USER: > > - case AUDIT_FILTER_TYPE: > > + case AUDIT_FILTER_EXCL: > > case AUDIT_FILTER_FS: > > ; > > } > > @@ -337,7 +337,7 @@ static int audit_field_valid(struct audit_entry *entry, > > struct audit_field *f) { > > switch(f->type) { > > case AUDIT_MSGTYPE: > > - if (entry->rule.listnr != AUDIT_FILTER_TYPE && > > + if (entry->rule.listnr != AUDIT_FILTER_EXCL && > > entry->rule.listnr != AUDIT_FILTER_USER) > > return -EINVAL; > > break; > > @@ -931,7 +931,7 @@ static inline int audit_add_rule(struct audit_entry > > *entry) /* If any of these, don't count towards total */ > > switch(entry->rule.listnr) { > > case AUDIT_FILTER_USER: > > - case AUDIT_FILTER_TYPE: > > + case AUDIT_FILTER_EXCL: > > case AUDIT_FILTER_FS: > > dont_count = 1; > > } > > @@ -1013,7 +1013,7 @@ int audit_del_rule(struct audit_entry *entry) > > /* If any of these, don't count towards total */ > > switch(entry->rule.listnr) { > > case AUDIT_FILTER_USER: > > - case AUDIT_FILTER_TYPE: > > + case AUDIT_FILTER_EXCL: > > case AUDIT_FILTER_FS: > > dont_count = 1; > > } > > @@ -1369,7 +1369,7 @@ int audit_filter(int msgtype, unsigned int listtype) > > break; > > } > > if (result > 0) { > > - if (e->rule.action == AUDIT_NEVER || listtype == > > AUDIT_FILTER_TYPE) > > + if (e->rule.action == AUDIT_NEVER || listtype == > > AUDIT_FILTER_EXCL) > > ret = 0; > > break; > > } > > > > - RGB -- Richard Guy Briggs <r...@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit