vfs_full_audit annoyances on major version upgrades

[Andrew Bartlett]

On Fri, 2021-03-26 at 08:38 -0400, Andrew Walker via samba-technical
wrote:
> I've noticed that several users (including one in the samba lists just now)
> got bitten by vfs_full_audit on major version upgrades. Due to VFS
> modernization, user's full_audit:success / failure configuration strings
> may be invalid post-upgrade. A concrete example is "full_audit:success =
> unlink". What makes this particularly painful is that full_audit will
> default to logging _everything_ if it encounters an unrecognized parameter.
> 
> What do you think of doing something like the following:
> https://github.com/truenas/ports/blob/truenas/12.0-stable/net/samba/files/patch-source3__modules__vfs_full_audit.c
> 
> Basically:
> 1) expand table for vfs_op_names to include an "old" name to use for
> lookups as well (so that "unlink" logs "unlinkat")
> 2) fail Tree Connect with a concrete error message printed at DBG_ERR if
> logging parameters are invalid.

There certainly is a good case to be made that the difference between
rename and renameat is not important for the audit logs, so shouldn't
be exposed to the user.

I've not looked at the code, but other than the name is there any
difference in what is output?  If not, then an alias makes a lot of
sense.

I also agree that failing to start up is a much better option than
abandoning the logging filter.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba