[RFC] linux-2.6.10-auditfs-tc1.patch

Casey Schaufler casey at schaufler-ca.com
Mon Jan 24 16:57:36 UTC 2005


--- Steve Grubb <sgrubb at redhat.com> wrote:

> On Monday 24 January 2005 11:29, Casey Schaufler
> wrote:
> > > Which capabilities?
> >
> >     - The process capability set
> >     - The set of capabilties that were
> >       actually required
> 
> Both? The capabilities required should be cast in
> concrete and not 
> configurable. Not sure what value this adds other
> than a convenience.

If I have 6 capabilities but only need one
of them to perform an action the process list
does not identify the policy that is being
overridden. If I need 2 capabilities but only
have one, the one that I don't have but needed
needs to be pointed out. The capabilities
required to perform an action will not be
sent in concrete. For example, accessing
/a/file may require different capabilities
depending on the mode of /a.

> In linux you can be root and not able to add
> capabilities or lose capabilities 
> since you gave up that capability. So, I'm not sure
> if this is useful in this 
> situation.

You're probably right.
 
> > > Yes. The audit program has a format_type
> > > configuration option so these can be
> > > written. Send the patch to me or this mail list
> > > against the latest audit
> > > daemon code.
> >
> > Hum. I'll have to see what I can do.
> 
> Just write a function similar to format_raw in
> lib/libaudit.c. Around line 199 
> in src/auditd-event.c is a switch statement & LF_RAW
> case. Just add another 
> case to call your formatting function. The
> formatting function should malloc 
> & write to a buffer that the caller will free later.
> That's all there is to 
> it.

Thank you.


=====
Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 
http://my.yahoo.com 
 




More information about the Linux-audit mailing list