[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH 4th revision] Add SELinux context support to AUDIT target



On Saturday, June 18, 2011 08:08:05 AM Mr Dash Four wrote:
> +#ifdef CONFIG_SECURITY
> +/**
> + * audit_log_secctx - Converts and logs SELinux context
> + * @ab: audit_buffer
> + * @secid: security number
> + *
> + * This is a helper function that calls security_secid_to_secctx to
> convert secid to secctx + * and then adds the (converted) SELinux context
> to the audit log + * by calling audit_log_format, thus also preventing
> leak of internal secid to userspace. + * If secid cannot be converted
> audit_panic is called.
> + */
> +void audit_log_secctx(struct audit_buffer *ab, u32 secid)
> +{
> +	u32 len;
> +	char *secctx;
> +
> +	if (security_secid_to_secctx(secid, &secctx, &len)) {
> +		audit_panic("Cannot convert secid to context");
> +	} else {
> +		audit_log_format(ab, " obj=%s", secctx);
> +		security_release_secctx(secctx, len);

Eric,

Do you think this should be hardcoded to be obj? Would we ever log the subj? Or should 
obj be part of the function name to make it clear which piece is getting logged?

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]