[RFC PATCH 2/9] audit,io_uring,io-wq: add some basic audit support to io_uring
Paul Moore
paul at paul-moore.com
Fri May 28 16:02:58 UTC 2021
On Wed, May 26, 2021 at 4:19 PM Paul Moore <paul at paul-moore.com> wrote:
> ... If we moved the _entry
> and _exit calls into the individual operation case blocks (quick
> openat example below) so that only certain operations were able to be
> audited would that be acceptable assuming the high frequency ops were
> untouched? My initial gut feeling was that this would involve >50% of
> the ops, but Steve Grubb seems to think it would be less; it may be
> time to look at that a bit more seriously, but if it gets a NACK
> regardless it isn't worth the time - thoughts?
>
> case IORING_OP_OPENAT:
> audit_uring_entry(req->opcode);
> ret = io_openat(req, issue_flags);
> audit_uring_exit(!ret, ret);
> break;
I wanted to pose this question again in case it was lost in the
thread, I suspect this may be the last option before we have to "fix"
things at the Kconfig level. I definitely don't want to have to go
that route, and I suspect most everyone on this thread feels the same,
so I'm hopeful we can find a solution that is begrudgingly acceptable
to both groups.
--
paul moore
www.paul-moore.com
More information about the Linux-security-module-archive
mailing list