[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH 2nd revision] Add SELinux context support to AUDIT target




Normally there would be an else here to do something like
audit_log_format(ab, " osid=%u", skb->secmark);
so that its recorded numerically if the context could not be looked up.
I disagree! That approach was dropped long ago when the secctx was first introduced to prevent kernel information leaking into userspace (Eric would know more about this as he designed that aspect of it a couple of months ago). So the secctx is either present (and retrievable!) or not present from the (xt_)audit point of view. For more information see net/netfilter/nf_conntrack_standalone.c in the current nf-next tree.

In other words, no else is necessary.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]