audit-ptrace patch (untested)
Amy Griffis
amy.griffis at hp.com
Wed Mar 14 15:57:00 UTC 2007
Alexander Viro wrote: [Tue Mar 13 2007, 03:39:09PM EDT]
> On Tue, Mar 13, 2007 at 03:00:46PM -0400, Amy Griffis wrote:
> > > + if (sid)
> > > + selinux_sid_to_string(sid, &context->obj_ctx, &len);
> > > +}
> >
> > Why did you choose to do the sid to string conversion at collection
> > time, rather than waiting for audit_log_exit?
>
> Narrower window for sid_to_context to change...
Okay, I hadn't thought of that. But is it really more of a problem for
processes than for ipc or inodes? It's true that processes can change
their context, but that would change the sid, and we've already
collected that data. The sid-to-context-string mapping will only
change on policy load. I see the argument for narrowing the window,
but I'd like to see audit pick one way and stick to it.
Amy
More information about the Linux-audit
mailing list