Re: [RFC PATCH 2/2] [WIP] audit: allow other filter list types for AUDIT_DIR

2018-06-01 Thread Ondrej Mosnacek
2018-05-31 22:52 GMT+02:00 Richard Guy Briggs : > On 2018-05-30 10:45, Ondrej Mosnacek wrote: >> This patch allows the AUDIR_DIR field to be used also with the exclude >> filter. >> >> Not-yet-signed-off-by: Ondrej Mosnacek >> --- >> kernel/audit.c | 5 +++-- >> kernel/audit.h | 32 +

Re: [RFC PATCH ghak89 V1] audit: rename FILTER_TYPE to FILTER_EXCL

2018-06-01 Thread Steve Grubb
On Thursday, May 31, 2018 6:21:20 PM EDT Richard Guy Briggs wrote: > On 2018-05-31 17:29, Steve Grubb wrote: > > On Thursday, May 31, 2018 4:23:09 PM EDT Richard Guy Briggs wrote: > > > The AUDIT_FILTER_TYPE name is vague and misleading due to not > > > describing > > > where or when the filter is

Re: [RFC PATCH ghak89 V1] audit: rename FILTER_TYPE to FILTER_EXCL

2018-06-01 Thread Richard Guy Briggs
On 2018-06-01 12:55, Steve Grubb wrote: > On Thursday, May 31, 2018 6:21:20 PM EDT Richard Guy Briggs wrote: > > On 2018-05-31 17:29, Steve Grubb wrote: > > > On Thursday, May 31, 2018 4:23:09 PM EDT Richard Guy Briggs wrote: > > > > The AUDIT_FILTER_TYPE name is vague and misleading due to not > >

Re: [RFC PATCH ghak89 V1] audit: rename FILTER_TYPE to FILTER_EXCL

2018-06-01 Thread Steve Grubb
On Friday, June 1, 2018 1:58:34 PM EDT Richard Guy Briggs wrote: > On 2018-06-01 12:55, Steve Grubb wrote: > > On Thursday, May 31, 2018 6:21:20 PM EDT Richard Guy Briggs wrote: > > > On 2018-05-31 17:29, Steve Grubb wrote: > > > > On Thursday, May 31, 2018 4:23:09 PM EDT Richard Guy Briggs wrote:

Re: [RFC PATCH ghak89 V1] audit: rename FILTER_TYPE to FILTER_EXCL

2018-06-01 Thread Richard Guy Briggs
On 2018-06-01 15:03, Steve Grubb wrote: > On Friday, June 1, 2018 1:58:34 PM EDT Richard Guy Briggs wrote: > > On 2018-06-01 12:55, Steve Grubb wrote: > > > On Thursday, May 31, 2018 6:21:20 PM EDT Richard Guy Briggs wrote: > > > > On 2018-05-31 17:29, Steve Grubb wrote: > > > > > On Thursday, May

Re: [RFC PATCH ghak89 V1] audit: rename FILTER_TYPE to FILTER_EXCL

2018-06-01 Thread Steve Grubb
On Friday, June 1, 2018 3:12:15 PM EDT Richard Guy Briggs wrote: > On 2018-06-01 15:03, Steve Grubb wrote: > > On Friday, June 1, 2018 1:58:34 PM EDT Richard Guy Briggs wrote: > > > On 2018-06-01 12:55, Steve Grubb wrote: > > > > On Thursday, May 31, 2018 6:21:20 PM EDT Richard Guy Briggs wrote: >

Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions

2018-06-01 Thread Stefan Berger
On 05/30/2018 07:34 PM, Richard Guy Briggs wrote: On 2018-05-30 17:38, Stefan Berger wrote: On 05/30/2018 05:22 PM, Paul Moore wrote: On Wed, May 30, 2018 at 9:08 AM, Stefan Berger wrote: On 05/30/2018 08:49 AM, Richard Guy Briggs wrote: On 2018-05-24 16:11, Stefan Berger wrote: The AUDIT_I

Re: [RFC PATCH 2/2] [WIP] audit: allow other filter list types for AUDIT_DIR

2018-06-01 Thread Richard Guy Briggs
On 2018-06-01 10:12, Ondrej Mosnacek wrote: > 2018-05-31 22:52 GMT+02:00 Richard Guy Briggs : > > On 2018-05-30 10:45, Ondrej Mosnacek wrote: > >> This patch allows the AUDIR_DIR field to be used also with the exclude > >> filter. > >> > >> Not-yet-signed-off-by: Ondrej Mosnacek > >> --- > >> ker

Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions

2018-06-01 Thread Paul Moore
On Fri, Jun 1, 2018 at 4:00 PM, Stefan Berger wrote: > On 05/30/2018 07:34 PM, Richard Guy Briggs wrote: >> >> On 2018-05-30 17:38, Stefan Berger wrote: >>> >>> On 05/30/2018 05:22 PM, Paul Moore wrote: On Wed, May 30, 2018 at 9:08 AM, Stefan Berger wrote: > > On 05/30/2018

Re: [RFC PATCH ghak89 V1] audit: rename FILTER_TYPE to FILTER_EXCL

2018-06-01 Thread Richard Guy Briggs
On 2018-06-01 15:37, Steve Grubb wrote: > On Friday, June 1, 2018 3:12:15 PM EDT Richard Guy Briggs wrote: > > On 2018-06-01 15:03, Steve Grubb wrote: > > > On Friday, June 1, 2018 1:58:34 PM EDT Richard Guy Briggs wrote: > > > > On 2018-06-01 12:55, Steve Grubb wrote: > > > > > On Thursday, May 31

Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions

2018-06-01 Thread Paul Moore
On Fri, Jun 1, 2018 at 4:13 PM, Paul Moore wrote: > On Fri, Jun 1, 2018 at 4:00 PM, Stefan Berger > wrote: >> On 05/30/2018 07:34 PM, Richard Guy Briggs wrote: >>> >>> On 2018-05-30 17:38, Stefan Berger wrote: On 05/30/2018 05:22 PM, Paul Moore wrote: > > On Wed, May 30, 2018 at

[PATCH ghak89 V2] audit: rename FILTER_TYPE to FILTER_EXCLUDE

2018-06-01 Thread Richard Guy Briggs
The AUDIT_FILTER_TYPE name is vague and misleading due to not describing where or when the filter is applied and obsolete due to its available filter fields having been expanded. Userspace has already renamed it from AUDIT_FILTER_TYPE to AUDIT_FILTER_EXCLUDE without checking if it already exists.

Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions

2018-06-01 Thread Stefan Berger
On 06/01/2018 04:13 PM, Paul Moore wrote: On Fri, Jun 1, 2018 at 4:00 PM, Stefan Berger wrote: On 05/30/2018 07:34 PM, Richard Guy Briggs wrote: On 2018-05-30 17:38, Stefan Berger wrote: On 05/30/2018 05:22 PM, Paul Moore wrote: On Wed, May 30, 2018 at 9:08 AM, Stefan Berger wrote: On 05/3

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

2018-06-01 Thread Richard Guy Briggs
On 2018-05-17 17:00, Steve Grubb wrote: > On Fri, 16 Mar 2018 05:00:28 -0400 > Richard Guy Briggs wrote: > > > Implement the proc fs write to set the audit container ID of a > > process, emitting an AUDIT_CONTAINER record to document the event. > > > > This is a write from the container orchestr

Re: [RFC PATCH ghak86 V1] audit: use audit_enabled as a boolean where convenient

2018-06-01 Thread Paul Moore
On Thu, May 31, 2018 at 12:38 PM, Richard Guy Briggs wrote: > On 2018-05-31 11:48, Paul Moore wrote: >> On Thu, May 31, 2018 at 11:13 AM, Richard Guy Briggs wrote: >> > Most uses of audit_enabled don't care about the distinction between >> > AUDIT_ON and AUDIT_LOCKED, so using audit_enabled as a