[arch-dev-public] perf-trace missing due to a dependency on libaudit
Daniel Micay
danielmicay at gmail.com
Tue Aug 26 16:58:51 EDT 2014
On 26/08/14 03:47 PM, Jan Alexander Steffens wrote:
> On Wed, May 7, 2014 at 4:11 PM, Daniel Micay <danielmicay at gmail.com> wrote:
>> RBAC also allows quite a bit of auditing with the grsecurity audit
>> infrastructure. You can audit attempts to make use of a certain path,
>> capability, IP protocol, etc. Of course, this assumes you have a basic
>> working RBAC policy for tacking on allowed + audited policies or
>> disallowed + audited policies. So CONFIG_AUDIT=Y is a lot less useful.
>
> I'm sad that AUDIT was disabled. It provided /proc/self/loginuid,
> which I used in my shell scripts.
>
> loginuid is also used by glibc's getlogin(3), which now no longer
> works unless the user is logged in on their terminal. In managed X
> sessions that's often not the case, resulting in bugs like
> https://bugs.archlinux.org/task/40975 .
I don't think the justification for removing it was good (log spam), but
there are good reasons for avoiding AUDITSYSCALL. It forces all system
calls on the system call slow path, which has significant overhead. The
ugly implementation is also a big security risk.
http://lwn.net/Articles/600568/
https://fedorahosted.org/fesco/ticket/1311
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140826/ac80fffd/attachment.asc>
More information about the arch-dev-public
mailing list