[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext

On Tuesday ٣٠ August ٢٠٠٥ ١٣:٢١, Dustin Kirkland wrote:
> Forwarding a note from Mounir which did not copy linux-audit...
> On Tue, ٢٠٠٥-٠٨-٣٠ at ١٣:٢٠ -٠٥٠٠, Mounir Bsaibes wrote:
> > On Tue, ٢٠٠٥-٠٨-٣٠ at ١٠:١٨ -٠٥٠٠, Dustin Kirkland wrote:
> > > Ok, then anyone who disagrees with failing the syscall speak up now...
> > > If this is the preferred operation, please say so.  Klaus--I, too, am
> > > calling for your input.
> >
> > While it can be one of the configurable options for panic, failing the
> > system call is not enough in all cases. Due to the requirement that the
> > system must not loose audit record, the system must panic, when
> > resources are exhausted. 

But that's just it, if you're not careful when issueing a panic, there _is_ a
potential of record lossage.  Take for instance this case:

	We're in context of a "mkdir()" system call.  We've determined that
	this inode is watched, so then we allocate audit_aux_data memory
	for it to place on the audit context.  The only problem is that we fail
	this memory allocation.  Since the inode has already been created,
	if we panic the system, there will be no record of the transaction.

I have to wonder if the inode even makes it to disk before we panic. But
this assumption is probably a bit shakey.

Refer to: Message-Id: <٢٠٠٥٠٨٢٩١٨٥٠ ٢٣٨٦٧ tinytim us ibm com>


> > Refer to the linux-audit archive of January ٢٠٠٥.
> > https://www.redhat.com/archives/linux-audit/٢٠٠٥-January/msg٠٠٠٣٠.html
> > Similar issue was discussed for what to do when audit log is full and
> > what to do when kernel resources are exhausted.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]