From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756175AbdABWz2 (ORCPT ); Mon, 2 Jan 2017 17:55:28 -0500 Received: from mail-ua0-f196.google.com ([209.85.217.196]:34584 "EHLO mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753656AbdABWzR (ORCPT ); Mon, 2 Jan 2017 17:55:17 -0500 MIME-Version: 1.0 X-Originating-IP: [96.230.190.88] In-Reply-To: <1540151.sullFKCz8n@x2> References: <1483375990-14948-1-git-send-email-tyhicks@canonical.com> <5284369.V7krsaxZyN@x2> <20170102174246.GA17677@sec> <1540151.sullFKCz8n@x2> From: Paul Moore Date: Mon, 2 Jan 2017 17:55:16 -0500 Message-ID: Subject: Re: [PATCH 2/2] seccomp: Audit SECCOMP_RET_ERRNO actions with errno values To: Steve Grubb Cc: Tyler Hicks , linux-audit@redhat.com, Eric Paris , Kees Cook , Andy Lutomirski , Will Drewry , linux-kernel@vger.kernel.org Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 2, 2017 at 1:49 PM, Steve Grubb wrote: > On Monday, January 2, 2017 5:42:47 PM EST Tyler Hicks wrote: >> On 2017-01-02 12:20:53, Steve Grubb wrote: >> > On Monday, January 2, 2017 4:53:10 PM EST Tyler Hicks wrote: ... >> Thanks for having a look at the field name I was using. Although I >> prefer "errno" over "exit" in terms of clarity, I agree that it makes >> sense to be consistent with the field names across record types. "exit" >> works for me. FWIW, we have a nice (searchable due to GitHub CSV magic) audit field database at the link below. I will admit that it may be a bit crusty in places, but we are making a new effort to keep it updated, if you notice anything wrong, send email and/or a PR. * https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv >> > http://people.redhat.com/sgrubb/files/auformat.tar.gz >> > >> > $ ausearch --start today --just-one -m syscall -sv no --raw | ./auformat >> > "%EXIT\n" >> > >> > Also, I am working to normalize all the records. That mean every event >> > record of the same type has the same fields, in the same order, with the >> > same representation. I would think "exit" could be added to the current >> > record after syscall so that its ordered similarly to a syscall record. >> >> This patch goes against your normalization efforts in more ways than >> just the placement of the "exit" field. If the action is >> SECCOMP_RET_KILL, a "sig" field is present but if the action is >> SECCOMP_RET_ERRNO, the "sig" field will not be present but the "errno" >> field will be present. This happens all within the AUDIT_SECCOMP record >> type. How would you suggest normalizing AUDIT_SECCOMP records for >> different seccomp return actions? > > Typically when the layout has to change, we just give it a new record type. I'm going to be very loathe to accept any new record types that *only* reorder fields; if you need to add a new field, simply add it to the end of the record. From my perspective new record types are really only an option if we need to remove a field that is bogus/confusing or some other similar case that is not easily solved. New record types are a last resort. -- paul moore www.paul-moore.com