[redhat-lspp] security context in audit records
Stephen Smalley
sds at tycho.nsa.gov
Mon May 9 15:01:01 UTC 2005
On Fri, 2005-05-06 at 17:51 -0500, Daniel H. Jones wrote:
> For LSPP the audit records must contain subject/object sensitivity
> labels. I'm currently working on these extensions to audit. This is a
> first stab patch (against the audit.28 kernel) for adding labels to file
> system and ipc audit records. The purpose here is to provoke some
> discussion and get feedback on whether this is the right way to
> accomplish the objective. Your input is very much appreciated.
- (nit) Use a static inline for the #undef CONFIG_AUDITSYSCALL case,
e.g. static inline int audit_ipc_security_context(struct kern_ipc_perm
*ipcp) { return 0; }. This ensures that you get proper type checking on
the return value and parameters even when the option is disabled. I see
that the original audit code from Rik Faith violates this pattern, but
no point in making it worse.
- (nit) security_context_len should be size_t rather than int. Shorter
names might ease your typing burden ;)
- You could simplify your code by just allocating a page via
__get_free_page() and pass that into security_getprocattr() like the
existing proc_pid_attr_read() function does, at a temporary cost in
wasted memory until you free it. It is unfortunate that the existing
getprocattr and inode_getsecurity hooks require the caller to allocate
the buffer since the SELinux code will allocate a context buffer of
exactly the right size upon security_sid_to_context() anyway.
- Since the security context is provided by SELinux, I don't think you
need to pass it through audit_log_untrustedstring(). Direct logging via
audit_log_format() with %s format should be ok.
- I think we'll need to generalize the attribute name in some manner
than hardcoding "selinux" for the inode_getsecurity call. Normally, the
attribute name comes from userspace. Possibly have the SELinux module
register with the audit framework in some manner and provide the right
string (which is defined as XATTR_SELINUX_SUFFIX in hooks.c) at
registration time.
- Security context length should include the null terminator, so you
shouldn't need to adjust it.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list