[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] change lspp inode auditing



On Thursday 30 March 2006 09:30, Stephen Smalley wrote:
> Not much value in displaying the SID, although we do it elsewhere as
> well (e.g. in the AVC) as a fallback - mapping it will then require a
> dump of kernel memory at that time.  Likely have to call audit_panic in
> this scenario to meet the criteria, but the admin can always set
> audit_panic to not actually panic the machine.

I'll patch it to call audit_panic, but that is not the solution. For example, 
suppose the syscall was to rename, sendfile, unlink, or link to a file...even 
though we panic they were able to do the action. If it was rename a file, 
they can now access the file when it comes back up and not be audited. I 
think that the correct course of action is to log the number and figure out 
how to close the loop on the mapping the sid to context post-mortem.

> BTW, you kfree(ctx) unconditionally above, so you better initialize it
> to NULL prior to calling selinux_ctxid_to_string().  len has the wrong
> type too (int vs. u32), but I think you can drop it altogether.

The called function initializes it. I'll add another init to NULL just in case 
something it calls doesn't on error.

Thanks,
-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]