[RFC] linux-2.6.10-auditfs-tc1.patch

Darrel Goeddel dgoeddel at trustedcs.com
Fri Jan 21 16:37:15 UTC 2005


Serge Hallyn wrote:
> Perhaps we should print out current->cap_effective?  Or is that
> overkill?  Or perhaps an actual "security_identify_process(task, buf,
> len)" hook would be useful, where commoncap could print out the
> capabilities, and selinux could print out the context.  Maybe that's
> closer to debug info...
> 

This hook, and a similar security_identify_inode(...), hook will be necessary 
for an LSM to go through a LSPP evaluation.  The label information is required 
to be included in the audit record for all subjects/objects/information involved 
in the event.  I have a quick-and-dirty patch that implemented this 
functionality.  Note that this patch uses pre-allocated 1K buffers (limits info 
and sucks up a lot of memory).  A proper memory allocation scheme needs to be 
worked up and the patch probably needs to be rebased to newer code.  I planned 
on getting back to this in the near future.  If someone else is working on this 
functionality, please let me know, otherwise I can bump this up on my TODO list.

This patch also includes uid/gid/mode for filesystem objects.  I felt that this 
was a needed addition to determine the cause of filesystem related denials.  Do 
others agree with this addition to the records, and is there anything else that 
we could possibly want?

-- 

Darrel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lsm-audit-augment.patch
Type: text/x-patch
Size: 15066 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050121/09140dff/attachment.bin>


More information about the Linux-audit mailing list