On Thu, Nov 17, 2016 at 9:27 PM, Richard Guy Briggs <[email protected]> wrote: > On 2016-11-17 18:34, Paul Moore wrote: >> On Tue, Nov 15, 2016 at 3:49 AM, Richard Guy Briggs <[email protected]> wrote: >> > On 2016-11-14 15:17, Paul Moore wrote: >> >> On Thu, Nov 10, 2016 at 1:41 AM, Richard Guy Briggs <[email protected]> >> >> wrote: >> >> > The value (unsigned int)-1 is used as a sentinel to indicate the >> >> > sessionID is unset. Skip this value when the session_id value wraps. >> >> > >> >> > Signed-off-by: Richard Guy Briggs <[email protected]> >> >> > --- >> >> > kernel/auditsc.c | 5 ++++- >> >> > 1 files changed, 4 insertions(+), 1 deletions(-) >> >> >> >> Since we haven't merged the session ID kernel patches into audit#next >> >> yet, why don't you just squash this patch in with the session ID patch >> >> and resubmit upstream in one nice neat patch. >> > >> > This was an existing bug regardless of new functionality added, so the >> > fix should not be buried in a new feature patch. >> >> No, it's not an existing bug. The existing code simply reports/logs >> the session ID, it doesn't filter on it, so there are no magic values >> to worry about. > > The existing code autoincrements through sessionID==-1. The existing > code (ausearch and aureport) reports and logs the sessionID and there > are existing reporting tools that are able to filter on sessionID even > though kernel filters don't yet exist for them. Therefore, it is > possible for the counter to roll and to erroneously report that the > value is unset.
I hadn't realize that the audit userspace was using this as an unset value. Anyway, merged. -- paul moore www.paul-moore.com
