From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8EF31C43331 for ; Tue, 24 Mar 2020 00:16:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6747020714 for ; Tue, 24 Mar 2020 00:16:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="Pw/jLYEt" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727691AbgCXAQy (ORCPT ); Mon, 23 Mar 2020 20:16:54 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:43616 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727439AbgCXAQw (ORCPT ); Mon, 23 Mar 2020 20:16:52 -0400 Received: by mail-ed1-f67.google.com with SMTP id bd14so4774152edb.10 for ; Mon, 23 Mar 2020 17:16:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=d/2Y64PABVXdc9ONlMpskyvi+SAnumMA7Crj5Bt/DBQ=; b=Pw/jLYEtjS/ATrpjcImP2D5HPDWiFMBcBAxJVSOwIOaspT/epTOM9IydWFzxho9yua oazmW6QWguLgtIbfTk74PkycIDjFDPzKqyzaoh+DhJAVrmkuDU/uAM53LPP8DVs9E40Q tUZMoTzJY+STJT3ur0XbLBaDl6VIvIN8N0+HMJRRBPnxJx3Fysg9dQsHduc19AT8XqUR Z+R5dqyHsad39E8wBrmCN6RWKFaLpPh9SfxtI2Y1DRQLG2Yf+1AwZidHAvD5ViWXYqSy a907RgFuMp40UgoEATMPqB/Btt7FRTYbwdl5UG8XBt+aLoRiYnvjPwNK2Qw9OiPVrwLO +WDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=d/2Y64PABVXdc9ONlMpskyvi+SAnumMA7Crj5Bt/DBQ=; b=hCSxWyDs4lNTBvfbxawuBb3GyJG1vxh+2+BV5NukSBB+GFou3P4w81xclKE5A8Gn9J UojhW/6twzhD10TsSNBOPpnY8HxDCRx+jspuG9rb+nlV8PzvL8xnpofaSRMia9T2/Fbm Lq18OujzNUAx8xaD+Lsl2s6Vf3gW5oZFbkyweImz24Uv8JyvxMIUdWg1SrnVJGHqUEoo 8RMizqoetTsS9NPvdKCoB+hO/fyUa5qIlnI9UdQzhUYGBHXMWq+spE6MAxZ6sYmWmnbj 8LRTCPZNCZYlrvqPRRjuQuJP6f4iWP0pzFZx9aguT/Voh6njfJuZr4rw9GypZ24qrmAI 1zwQ== X-Gm-Message-State: ANhLgQ3OH25hnGJGnwTHiQ8geSCg3c7642MCVdoADTbkZIDXKOWsBOQ7 sukcUjhwBjHOXVQ+PIOtso9mGnKw6YlObGCCDCDL X-Google-Smtp-Source: ADFU+vsjQok/w3GcfT1LJO6k41X3syl3c/RCvqnEbN1LGDpZdSJHQ9PBkLkvozzz1CLw+59ARBWSon4cJDwpW8rrY9U= X-Received: by 2002:a17:906:4b52:: with SMTP id j18mr13098102ejv.272.1585009010419; Mon, 23 Mar 2020 17:16:50 -0700 (PDT) MIME-Version: 1.0 References: <20200312193037.2tb5f53yeisfq4ta@madcap2.tricolour.ca> <20200313185900.y44yvrfm4zxa5lfk@madcap2.tricolour.ca> <20200318212630.mw2geg4ykhnbtr3k@madcap2.tricolour.ca> <20200318215550.es4stkjwnefrfen2@madcap2.tricolour.ca> <20200319220249.jyr6xmwvflya5mks@madcap2.tricolour.ca> In-Reply-To: <20200319220249.jyr6xmwvflya5mks@madcap2.tricolour.ca> From: Paul Moore Date: Mon, 23 Mar 2020 20:16:38 -0400 Message-ID: Subject: Re: [PATCH ghak90 V8 07/16] audit: add contid support for signalling the audit daemon To: Richard Guy Briggs Cc: Steve Grubb , linux-audit@redhat.com, nhorman@tuxdriver.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, LKML , dhowells@redhat.com, netfilter-devel@vger.kernel.org, ebiederm@xmission.com, simo@redhat.com, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, Eric Paris , mpatel@redhat.com, Serge Hallyn Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Thu, Mar 19, 2020 at 6:03 PM Richard Guy Briggs wrote: > On 2020-03-18 18:06, Paul Moore wrote: ... > > I hope we can do better than string manipulations in the kernel. I'd > > much rather defer generating the ACID list (if possible), than > > generating a list only to keep copying and editing it as the record is > > sent. > > At the moment we are stuck with a string-only format. Yes, we are. That is another topic, and another set of changes I've been deferring so as to not disrupt the audit container ID work. I was thinking of what we do inside the kernel between when the record triggering event happens and when we actually emit the record to userspace. Perhaps we collect the ACID information while the event is occurring, but we defer generating the record until later when we have a better understanding of what should be included in the ACID list. It is somewhat similar (but obviously different) to what we do for PATH records (we collect the pathname info when the path is being resolved). -- paul moore www.paul-moore.com