Filter approaches (was: Re: [PATCH] enable /proc/$$/loginuid)
Casey Schaufler
casey at schaufler-ca.com
Mon Jan 17 22:53:13 UTC 2005
--- Leigh Purdie <Leigh.Purdie at intersectalliance.com>
wrote:
> So, we have four alternative approaches here I
> think: ...
A better way to look at it might be to have the
kernel deal with the "object policy" view and
have the daemon deal with the "user interface"
view. The kernel should filter on "accesses by
Leigh", and the daemon should filter files named
"*[Pp]urdie*". The kernel has to know that the
daemon wants to see all pathnames and pass them
along, and the daemon has to tell the kernel
what sort of records it needs to look at.
A dumb kernel will overwhelm the daemon, especially
if the daemon is smart. A kernel that tries to do
regular expressions is is trouble. No CAPP policy
is going to use wildcards, and "real" sysadmins
don't care about subject/object modeling.
=====
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
More information about the Linux-audit
mailing list