[RFC] linux-2.6.10-auditfs-tc1.patch
Darrel Goeddel
dgoeddel at trustedcs.com
Fri Jan 21 16:37:15 UTC 2005
Serge Hallyn wrote:
> Perhaps we should print out current->cap_effective? Or is that
> overkill? Or perhaps an actual "security_identify_process(task, buf,
> len)" hook would be useful, where commoncap could print out the
> capabilities, and selinux could print out the context. Maybe that's
> closer to debug info...
>
This hook, and a similar security_identify_inode(...), hook will be necessary
for an LSM to go through a LSPP evaluation. The label information is required
to be included in the audit record for all subjects/objects/information involved
in the event. I have a quick-and-dirty patch that implemented this
functionality. Note that this patch uses pre-allocated 1K buffers (limits info
and sucks up a lot of memory). A proper memory allocation scheme needs to be
worked up and the patch probably needs to be rebased to newer code. I planned
on getting back to this in the near future. If someone else is working on this
functionality, please let me know, otherwise I can bump this up on my TODO list.
This patch also includes uid/gid/mode for filesystem objects. I felt that this
was a needed addition to determine the cause of filesystem related denials. Do
others agree with this addition to the records, and is there anything else that
we could possibly want?
--
Darrel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lsm-audit-augment.patch
Type: text/x-patch
Size: 15066 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050121/09140dff/attachment.bin>
More information about the Linux-audit
mailing list