[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext



* Stephen Smalley (sds tycho nsa gov) wrote:
> Leveraging ipcperms only seemed natural (for both LSM and audit), given
> its wide (but admittedly incomplete and coarse-grained) coverage.  I'm
> not sure why the overlap/duplication is a concern for audit if it isn't
> already a concern for the corresponding LSM hooks.

The one difference is that the audit record is simpler.  The LSM hooks are
fine grained enough to show distinction between call contexts.  The audit
interface is just grabbing the label, so duplication would be pure waste.
My primary concern is code that looks like this:

msgctl {
  case IPC_STAT:
  	audit...
  case IPC_SET:
	...
	audit...

  if (cmd == IPC_SET)
	audit...

  case IPC_SET:
  	...
}

So there's duplication (ugly from code POV) on IPC_SET, and there's no
clear rule for what's being audited (why not audit RMID, for example).
Granted, some of the ugliness comes from existing ipc code organization.
But we don't need to make it worse.

thanks,
-chris


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]