Another slab size-32 leak 2.6.16-rc4-mm2
Klaus Weidner
klaus at atsec.com
Mon Mar 6 19:13:20 UTC 2006
On Mon, Mar 06, 2006 at 10:20:05AM -0500, Stephen Smalley wrote:
> But ipcperms() isn't called on every IPC operation, in particular not
> for the ones that apply uid ownership or capability tests rather than
> mode checks, e.g. SHM_LOCK/UNLOCK. Compare the coverage of the
> security_* hooks in the ipc code against the audit-related hooks.
SHM_LOCK/UNLOCK doesn't look like an "operation on an object" from the
LSPP point of view (it doesn't read, write, create, destroy, change
permissions, or similar things), so I don't see a need to audit that one.
There may be a need to add new hooks for specific functions if they turn
out to require auditing, but offhand I'm not aware of any.
> That is why I suggested making a call to some audit hook for collecting
> the IPC object context from every selinux_* IPC hook - that ensures
> coverage without requiring additional audit hooks.
Keep in mind that LSPP requires audit records (including object labels)
for unsuccessful operations, and as far as I know an access request
that's rejected by DAC permissions won't call the selinux hook.
-Klaus
More information about the Linux-audit
mailing list