[PATCH 3rd revision] Add SELinux context support to AUDIT target

Wed Jun 8 19:08:38 UTC 2011

On Wed, Jun 8, 2011 at 3:00 PM, Mr Dash Four
<mr.dash.four at googlemail.com> wrote:
>
>> int audit_log_secctx(struct auditbuffer *ab, u32 secid)
>> {
>>    int len, rc;
>>    char *ctx;
>>
>>    rc = security_secid_to_secctx(sid, &ctx, &len);
>>    if (rc) {
>>        audit_panic("Cannot convert secid to context");
>>    } else {
>>            audit_log_format(ab, " subj=%s", ctx);
>>            security_release_secctx(ctx, len);
>>    }
>>    return rc;
>> }
>>
>> Such a function could be used a couple of places in the audit code itself.
>>
>
> My view on this is that LSM error-handling should be part of LSM.
>
> I presume security_secid_to_secctx is going to be called from quite a few
> places (well, I know of at least two now and they have nothing to do with
> the LSM) and in my opinion it would be better if that error handling, if
> adopted, is implemented within the function itself - whether by calling
> another function, like the one you proposed above, or as part of the secctx
> retrieval - this could be open to interpretation, but the point I am trying
> to make is that whichever code security_secid_to_secctx is invoked from
> shouldn't be involved in reporting/handling (internal LSM) errors at all.
>
> I think I made that point in my previous post, but just wanted to make sure
> that is the case.

The LSM might report and error.  It's up to the caller to figure out
how to deal with that error.  In this case we want to use the audit
system so it's up to the audit system how to handle that error.  This
helper function says the audit system should log it if it work and
should audit_panic() if it doesn't.  audit_panic() will just call
printk for most people and can actually panic the box for nutters who
really care.  In this way we always log the information and if we
don't it's up to audit how audit handles it's inability to log info.

It's not netfilter's job to handle the error.  It's not the LSMs job
to know how it's caller wants to handle the error.  Audit is who has
special requirements and the code to handle the error should be in
audit code.  (Maybe it wasn't clear, but I think this function should
go in kernel/audit.c, not the netfilter code.  The netfilter code
should call this helper function.

-Eric