[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] collect security labels on user processes generating audit messages

Timothy R. Chavez wrote:
James & Stephen,

Thank you for the comments.  While implementing your feedback I came
across a pretty severe bug.  I was basically obtaining the sid and then
throwing it away (I was returning it from the function, but not actually
assigning it to anything).  New patch below.  I still need to test this
a little more.  Thanks!


Should you really be using an lsm interface for getting the sid?  The
patch is currently allowing any security module to put a secid (whose
comment says SELinux security id) into the netlink_skb_params struct.
This generic item is then only used in SELinux specific calls.  It
seems that the getsecid functionality could just fit into an SELinux
specific API just like selinux_id_to_ctx and friends.  That would also
avoid the overhead of lsm and all of the associated code changes.  Of
course this is probably moot if there are other planned uses for



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]