[PATCH] context based audit filtering (take 4)
Stephen Smalley
sds at tycho.nsa.gov
Fri Feb 24 13:27:37 UTC 2006
On Thu, 2006-02-23 at 11:42 -0600, Darrel Goeddel wrote:
> diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
> index 640d0bf..df358be 100644
> --- a/security/selinux/ss/mls.c
> +++ b/security/selinux/ss/mls.c
> @@ -385,6 +385,31 @@ out:
> }
>
> /*
> + * Set the MLS fields in the security context structure
> + * `context' based on the string representation in
> + * the string `str'. This function will allocate temporary memory with the
> + * given constraints of gfp_mask.
> + */
> +int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
> +{
> + char *tmpstr, *freestr;
> + int rc;
Likely should be checking selinux_mls_enabled on entry and returning an
error in that case (mls_context_to_sid will just return 0 in that case).
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index d877cd1..a2ad2cd 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
Need to #include <linux/selinux.h> now to pick up the function
prototypes for the selinux_audit_ functions to ensure that they are
checked against the real functions.
> + default:
> + /* only the above fileds are valid */
Nit: Typo in comment.
Otherwise, looks good.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list