[RFC][PATCH] collect security labels on user processes generating audit messages
Timothy R. Chavez
tinytim at us.ibm.com
Thu Feb 9 16:13:56 UTC 2006
Hi James,
Thank you for the response (and putting Stephen on the CC list,
evolution flubbered my original CC list, hrm). My response below.
On Thu, 2006-02-09 at 09:58 -0500, James Morris wrote:
> On Wed, 8 Feb 2006, Timothy R. Chavez wrote:
>
> > 1) A new SELinux interface was introduced to give other parts of the
> > kernel the ability to resolve 'sids' into security labels.
>
> Please look at the way I intend to export SELinux APIs in:
> http://people.redhat.com/jmorris/selinux/skfilter/kernel/12-skfilter-selinux-exports.patch
This looks good. Do you have a schedule for releasing this? I could
probably wait until it becomes available in -mm before changing out the
API plumbing.
>
> > +++ b/include/linux/netlink.h
> > @@ -143,6 +143,7 @@ struct netlink_skb_parms
> > __u32 dst_group;
> > kernel_cap_t eff_cap;
> > __u32 loginuid; /* Login (audit) uid */
> > + __u32 secid; /* SELinux security id */
> > };
>
> You also need to verify the policy serial number.
Ah, thanks.
>
> I wonder if it might be better to use the security context directly.
>
I think it'd be the simplest solution, but I was a bit weary about
adding a string param... I thought using an integer might be the path of
least resistance :)
>
> > @@ -460,11 +464,26 @@ static int audit_receive_msg(struct sk_b
> > err = 0;
> > ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
> > if (ab) {
> > + len = selinux_sid_to_context(sid, NULL, 0);
>
> This is embedding SELinux specific code into the audit code. I think you
> need to add some audit/SELinux glue code which disappears if SELinux is
> not enabled.
>
> > + NETLINK_CB(skb).secid = security_task_getsid(current);
>
> security_task_getsid() doesn't exist.
>
> You created security_task_getsecurity(), which retrieves the security
> context.
>
>
>
> - James
Actually, security_task_getsid() does exist (or did exist last time I
updated the viro/audit-2.6 git tree).
http://www.promethos.org/lxr/http/ident?i=security_task_getsid
Thanks again for the feedback James.
-tim
More information about the Linux-audit
mailing list