[arch-dev-public] perf-trace missing due to a dependency on libaudit

newer
[arch-dev-public] Signoff report...

older
[arch-dev-public] Signoff report...

Daniel Micay

5 May 2014 5 May '14

2:56 a.m.

Sadly, the `perf trace` command has a dependency on libaudit for a few convenience functions. I'm curious about what people feel the best approach would be here... adding back audit to [community] is ugly since it's not going to work, but building it and statically linking it in the linux-tools package is overly complex. The lesser evil seems to be adding only a libaudit package... but it's still not going to work if someone tries to use it for what it's intended to do. I'll probably go with this if there's no saner idea.

Attachments:

signature.asc (application/pgp-signature — 836 bytes)

Show replies by date

Connor Behan

7 May 7 May

1:28 p.m.

New subject: [arch-dev-public] perf-trace missing due to a dependency on libaudit

...

Sadly, the `perf trace` command has a dependency on libaudit for a few convenience functions. I'm curious about what people feel the best approach would be here... adding back audit to [community] is ugly since it's not going to work, but building it and statically linking it in the linux-tools package is overly complex.

The lesser evil seems to be adding only a libaudit package... but it's still not going to work if someone tries to use it for what it's intended to do. I'll probably go with this if there's no saner idea. Why not enable audit in your linux-grsec package? Then you can make

On 07/05/14 01:07 AM, Daniel Micay wrote: linux-grsec an optional dependency of the audit userspace tools for people who want to use more than just the convenience functions. I still have an occasional use for audit and the overhead it adds to the kernel is negligible compared to grsecurity itself.

Daniel Micay

6:06 p.m.

New subject: [arch-dev-public] perf-trace missing due to a dependency on libaudit

On 07/05/14 05:28 AM, Connor Behan wrote:

...

...
Sadly, the `perf trace` command has a dependency on libaudit for a few convenience functions. I'm curious about what people feel the best approach would be here... adding back audit to [community] is ugly since it's not going to work, but building it and statically linking it in the linux-tools package is overly complex.

The lesser evil seems to be adding only a libaudit package... but it's still not going to work if someone tries to use it for what it's intended to do. I'll probably go with this if there's no saner idea. Why not enable audit in your linux-grsec package? Then you can make

On 07/05/14 01:07 AM, Daniel Micay wrote: linux-grsec an optional dependency of the audit userspace tools for people who want to use more than just the convenience functions. I still have an occasional use for audit and the overhead it adds to the kernel is negligible compared to grsecurity itself.

I don't really want to deviate from the [core] kernel on any of the non-grsecurity-related options, and CONFIG_AUDIT is only tangentially related. It's also not required for perf-trace (only libaudit is). I'll consider it and might change my mind though. The grsecurity auditing has sysctl switches to turn it all off, so it doesn't cause the log "spam" problem people dislike. The only default logging is when policies are actually violated and processes get killed.

Daniel Micay

6:11 p.m.

New subject: [arch-dev-public] perf-trace missing due to a dependency on libaudit

On 07/05/14 05:28 AM, Connor Behan wrote:

...

...
Sadly, the `perf trace` command has a dependency on libaudit for a few convenience functions. I'm curious about what people feel the best approach would be here... adding back audit to [community] is ugly since it's not going to work, but building it and statically linking it in the linux-tools package is overly complex.

The lesser evil seems to be adding only a libaudit package... but it's still not going to work if someone tries to use it for what it's intended to do. I'll probably go with this if there's no saner idea. Why not enable audit in your linux-grsec package? Then you can make

On 07/05/14 01:07 AM, Daniel Micay wrote: linux-grsec an optional dependency of the audit userspace tools for people who want to use more than just the convenience functions. I still have an occasional use for audit and the overhead it adds to the kernel is negligible compared to grsecurity itself.

RBAC also allows quite a bit of auditing with the grsecurity audit infrastructure. You can audit attempts to make use of a certain path, capability, IP protocol, etc. Of course, this assumes you have a basic working RBAC policy for tacking on allowed + audited policies or disallowed + audited policies. So CONFIG_AUDIT=Y is a lot less useful.

Jan Alexander Steffens

26 Aug 26 Aug

11:47 p.m.

New subject: [arch-dev-public] perf-trace missing due to a dependency on libaudit

On Wed, May 7, 2014 at 4:11 PM, Daniel Micay wrote:

...

RBAC also allows quite a bit of auditing with the grsecurity audit infrastructure. You can audit attempts to make use of a certain path, capability, IP protocol, etc. Of course, this assumes you have a basic working RBAC policy for tacking on allowed + audited policies or disallowed + audited policies. So CONFIG_AUDIT=Y is a lot less useful.

I'm sad that AUDIT was disabled. It provided /proc/self/loginuid, which I used in my shell scripts. loginuid is also used by glibc's getlogin(3), which now no longer works unless the user is logged in on their terminal. In managed X sessions that's often not the case, resulting in bugs like https://bugs.archlinux.org/task/40975 .

Daniel Micay

27 Aug 27 Aug

12:58 a.m.

New subject: [arch-dev-public] perf-trace missing due to a dependency on libaudit

On 26/08/14 03:47 PM, Jan Alexander Steffens wrote:

...

On Wed, May 7, 2014 at 4:11 PM, Daniel Micay wrote:

...
RBAC also allows quite a bit of auditing with the grsecurity audit infrastructure. You can audit attempts to make use of a certain path, capability, IP protocol, etc. Of course, this assumes you have a basic working RBAC policy for tacking on allowed + audited policies or disallowed + audited policies. So CONFIG_AUDIT=Y is a lot less useful.

I'm sad that AUDIT was disabled. It provided /proc/self/loginuid, which I used in my shell scripts.

loginuid is also used by glibc's getlogin(3), which now no longer works unless the user is logged in on their terminal. In managed X sessions that's often not the case, resulting in bugs like https://bugs.archlinux.org/task/40975 .

I don't think the justification for removing it was good (log spam), but there are good reasons for avoiding AUDITSYSCALL. It forces all system calls on the system call slow path, which has significant overhead. The ugly implementation is also a big security risk. http://lwn.net/Articles/600568/ https://fedorahosted.org/fesco/ticket/1311

Sébastien Luttringer

8 May 8 May

3:25 a.m.

New subject: [arch-dev-public] perf-trace missing due to a dependency on libaudit

On 05/05/2014 00:56, Daniel Micay wrote:

...

The lesser evil seems to be adding only a libaudit package... but it's still not going to work if someone tries to use it for what it's intended to do. I'll probably go with this if there's no saner idea. I think it's a good thing to restore "perf trace" functionality. Don't care if you add audit or libaudit.

Nevertheless, I think we could have discuss that inside a perf bug report. -- Sébastien "Seblu" Luttringer https://seblu.net | Twitter: @seblu42 GPG: 0x2072D77A

Sébastien Luttringer

26 Aug 26 Aug

1:18 p.m.

New subject: [arch-dev-public] perf-trace missing due to a dependency on libaudit

On 05/05/2014 00:56, Daniel Micay wrote:

...

Sadly, the `perf trace` command has a dependency on libaudit for a few convenience functions. I'm curious about what people feel the best approach would be here... adding back audit to [community] is ugly since it's not going to work, but building it and statically linking it in the linux-tools package is overly complex.

The lesser evil seems to be adding only a libaudit package... but it's still not going to work if someone tries to use it for what it's intended to do. I'll probably go with this if there's no saner idea.

I get a new request[1] about "perf trace" functionality. Are you going to add libaudit to community? Cheers, [1] https://bugs.archlinux.org/task/41690 -- Sébastien "Seblu" Luttringer https://seblu.net GPG: 0x2072D77A

Sébastien Luttringer

24 Sep 24 Sep

1:02 a.m.

New subject: [arch-dev-public] perf-trace missing due to a dependency on libaudit

On 26/08/2014 11:18, Sébastien Luttringer wrote:

...

On 05/05/2014 00:56, Daniel Micay wrote:

...
The lesser evil seems to be adding only a libaudit package... but it's still not going to work if someone tries to use it for what it's intended to do. I'll probably go with this if there's no saner idea.

I get a new request[1] about "perf trace" functionality. Are you going to add libaudit to community?

Cheers,

[1] https://bugs.archlinux.org/task/41690

Daniel may I have an answer? Cheers, -- Sébastien "Seblu" Luttringer https://seblu.net | Twitter: @seblu42 GPG: 0x2072D77A

3503

Age (days ago)

3645

Last active (days ago)

List overview

Download

8 comments

4 participants

participants (4)

Connor Behan
Daniel Micay
Jan Alexander Steffens
Sébastien Luttringer