[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] collect security labels on user processes generating audit messages



On Thu, 2006-02-09 at 10:13 -0600, Timothy R. Chavez wrote:
> > You also need to verify the policy serial number.
> 
> Ah, thanks.

Not clear actually - the context structs and integer index values for
the components need to be tagged with a policy serial number if exported
outside of the security server, but the SID itself remains stable across
policy reloads; only the context struct contents are remapped.  If
invalidated, subsequent lookup of the SID will be remapped to the
unlabeled SID's context.

> I think it'd be the simplest solution, but I was a bit weary about
> adding a string param... I thought using an integer might be the path of
> least resistance :)

Yes, a SID makes sense here and avoids the allocation/lifecycle pain of
strings or generic security blobs.

> Actually, security_task_getsid() does exist (or did exist last time I
> updated the viro/audit-2.6 git tree).

It doesn't do what you think it does.   Look at the inline documentation
for it in security.h.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]