Attached is SGI's second proposal for adding audit support to LSM. We've
listened to all the comments made after the first patch presented for
review, even if we haven't actively participated in the discussions.
In particular, the message that the patch was too big and that audit was
intended for phase 2, so we've redone it. This piece of work only includes
modifications to the existing hooks, either in terms of their prototypes or
placement. The intention being to freeze an existing audit friendly API
before tackling the issues of adding new hooks.
Prototypes have changed to reflect additional information that audit really
wants to track, ie fd's. These have been added as additional parameters,
not replacements (that was my personal mistake last time).
The placement of some hooks has been modified to make it more consistant,
so for example, we always call the post hook, rather than only if there was
an error. Some hooks have been moved ahead of DAC checks (or capable()
calls) in light of Stephen's comments on July 9th.
By saying no to our first patch, we were forced to go back to re-think the
implementation and have come up with something that seems to work much
better for all concerned. In particular, we think we can get away with not
needing the return_status() hook. In addition, Stephens idea of using
systems call interposition was really useful in getting us to re-evaluate
our design considerations.
We've also removed any reference to authortative hooks and moving code out
of the kernel into a module.
The following hooks have been modified.
Inode Ops
=========
- void (* post_create) (struct inode *dir, struct dentry *dentry,
int mode);
+ void (* post_create) (struct inode *dir, struct dentry *dentry,
int mode, int error);
- void (* post_link) (struct dentry *old_dentry, struct inode
*dir, struct dentry *new_dentry);
+ void (* post_link) (struct dentry *old_dentry, struct inode
*dir, struct dentry *new_dentry, int error);
- void (* post_symlink) (struct inode *dir, struct dentry *dentry,
const char *old_name);
+ void (* post_symlink) (struct inode *dir, struct dentry *dentry,
const char *old_name, int error);
- void (* post_mkdir) (struct inode *dir, struct dentry *dentry,
int mode);
+ void (* post_mkdir) (struct inode *dir, struct dentry *dentry,
int mode, int error);
- void (* post_mknod) (struct inode *dir, struct dentry *dentry,
int mode, dev_t dev);
+ void (* post_mknod) (struct inode *dir, struct dentry *dentry,
int mode, dev_t dev, int error);
void (* post_rename) (struct inode *old_dir, struct dentry
*old_dentry,
- struct inode *new_dir, struct dentry
*new_dentry);
+ struct inode *new_dir, struct dentry
*new_dentry, int error);
- int (* truncate) (struct inode *inode);
+ int (* truncate) (const char *path, struct inode *inode,
loff_t length);
File Ops
========
- int (* permission) (struct file *file, int mask);
+ int (* permission) (int fd, struct file *file, int
mask);
- int (* llseek) (struct file *file);
+ int (* llseek) (int fd, struct file *file);
- int (* read) (struct file *file);
+ int (* read) (int fd, struct file *file);
- int (* write) (struct file *file);
+ int (* write) (int fd, struct file *file);
- int (* ioctl) (struct file *file, unsigned int
cmd, unsigned long arg);
+ int (* ioctl) (int fd, struct file *file,
unsigned int cmd, unsigned long arg);
- int (* mmap) (struct file *file, unsigned long
prot, unsigned long flags);
+ int (* mmap) (int fd, struct file *file,
unsigned long prot, unsigned long flags);
- int (* lock) (struct file *file);
+ int (* lock) (int fd, struct file *file);
- int (* readv) (struct file *file);
+ int (* readv) (int fd, struct file *file);
- int (* writev) (struct file *file);
+ int (* writev) (int fd, struct file *file);
- int (* fcntl) (struct file *file, unsigned int
cmd, unsigned long arg);
+ int (* fcntl) (int fd, struct file *file,
unsigned int cmd, unsigned long arg);
- int (* fcntl64) (struct file *file, unsigned int
cmd, unsigned long arg);
+ int (* fcntl64) (int fd, struct file *file,
unsigned int cmd, unsigned long arg);
- int (* set_fowner) (struct file *file);
+ int (* set_fowner) (int fd, struct file *file);
Task Ops
========
- int (* setnice) (struct task_struct *p, int nice);
+ int (* setnice) (struct task_struct *p, int nice,
int which, int who);
- int (* setrlimit) (unsigned int resource, struct
rlimit *new_rlim);
+ int (* setrlimit) (unsigned int resource, struct
rlimit *new_rlim, struct rlimit *old_rlim);
General Ops
===========
- void (* post_remount) (struct vfsmount *mnt, unsigned
long flags, void *data);
+ void (* post_remount) (struct vfsmount *mnt, unsigned
long flags, void *data, int error);
- int (* ptrace) (struct task_struct *parent, struct
task_struct *child);
+ int (* ptrace) (long request, struct task_struct
*parent, struct task_struct *child);
- int (* setcapability) (void);
+ int (* setcapability) (int pid, struct task_struct *
target, __u32 version,
+ kernel_cap_t *inheritable, kernel_cap_t *
permitted, kernel_cap_t * effective);
A subsequent posting will discuss the prototypes for new hooks that we
would like to see added in phase 2.
The attached patch applies to the TOT bitkeeper tree (as of
ChangeSet@1.119).
For and on behalf of the SGI Trust Technology Group.
casey@sgi.com - Casey Schaufler
ktill@sgi.com - Kevin Till
lachlan.mcilroy@adacel.com.au - Lachlan McIlroy
law@sgi.com - Linda Walsh
Special thanks to former members James Buster and Emil Ong.
richard.
-----------------------------------------------------------------------
Richard Offer Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 07:16:03 PDT