On Thu, Oct 31, 2024 at 9:08 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote: > > On Oct 22, 2024 "=?UTF-8?q?Thi=C3=A9baud=20Weksteen?=" <tweek@xxxxxxxxxx> wrote: ... > > > diff --git a/security/lsm_audit.c b/security/lsm_audit.c > > > index 849e832719e2..b6544024f688 100644 > > > --- a/security/lsm_audit.c > > > +++ b/security/lsm_audit.c > > > @@ -425,6 +425,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, > > > case LSM_AUDIT_DATA_ANONINODE: > > > audit_log_format(ab, " anonclass=%s", a->u.anonclass); > > > break; > > > + case LSM_AUDIT_DATA_NLMSGTYPE: > > > + audit_log_format(ab, " nlmsg_type=%hu", a->u.nlmsg_type); > > > + break; > > > > Based on the audit field dictionary, link below, it appears that netlink > > related fields follow the "nlnk-XXX" pattern, and while I don't recall > > any current users in the kernel, it seems like sticking with that pattern > > is probably a good idea. With that in mind, what do you think about > > changing "nlmsg_type" into "nlnk-msgtype"? > > > Thanks Paul, I wasn't aware of this list. I found one example of a > netlink field in kernel/audit.c (function audit_log_multicast), which > was added in commit 9d2161bed4e39. The field is 'nl-mcgrp'. The name > was changed from nlnk-grp between v4 and v5 of the patch, but I can't > seem to find the reasoning. I suspect there was a concern about the size of the record. There are some audit folks that are extremely sensitive about audit record sizes due to heavy logging, processing, and retention issues. I'm not overly convinced that a few bytes in an infrequent record are that big of a deal, but who knows ... The bigger issue is that we have some actual precedence in the code for using "nl-XXX", which seems as good a reason as any to use "nl-msgtype". > Do you know if 'nlnk-fam' and 'nlnk-pid' were deprecated/removed at some point? I can't say for certain without really digging through the git history. For whatever it is worth, I just did a quick search for "nlnk" in the 'git log -p kernel/audit.c' and didn't see anything. > I don't mind either way. If you think 'nlnk-msgtype' (or 'nl-msgtype') > is more consistent with the other audit fields, I'm happy to send an > updated version. Based on what you found, I think "nl-msgtype" is the right answer, I'll follow up on your v2 patch posting. -- paul-moore.com
