Audit patch split into 5 parts

• Previous message: jmjonesat_private: "Re: [PATCH] net device hooks"
• Next in thread: Seth Arnold: "Re: Audit patch split into 5 parts"
• Reply: Seth Arnold: "Re: Audit patch split into 5 parts"
• Reply: Valdis.Kletnieksat_private: "Re: Audit patch split into 5 parts"
• Reply: Greg KH: "Re: Audit patch split into 5 parts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Each of these parts needs to be applied in order as some modify the same
files...

The attached patches are all against a tree as of 
        ChangeSetat_private, 2001-07-23 10:39:06-07:00, gregat_private

However in the mean time Chris has updated it to move the tree to 2.4.6,
but I don't want to have to wait to fix this before getting these out. 

I'll work on getting something that patches TOT asap, but insisting on
separate parts means its likely to take a few days.




sgi-1-add-fds
=============

Add an fd to the file_ops prototypes. 

Not receive(), I haven't had chance to look at this yet, but in previous
audit code we don't use it. However for MAC we may need an fd. The problem
is that at the time receive() is called there is no fd available. 

I'd like to register a XmNnotQuiteSureWhatToDoHere callback :-)


sgi-2-post-hooks
================

Add an error code to the post_* hooks (change the prototypes). Always call
the post_* hooks even if there isn't an error.


sgi-3-misc
==========

Other changes that didn't fit into any of the above, change the prototype
of ptrace/setnice/setcapability to include more information.


sgi-4-mac-before-dac
====================

Try and call a hook before any other DAC logic (including calls to
capable()).

The issue here is that SubDomain wants DAC before MAC, classic B1 systems
(as we will be aiming for) insist on having MAC before DAC. As we have two
reasonable policies that have mutual conflicts in hook placement we need a
third solution.


sgi-5-truncate
==============

A separate patch since I'm not sure about this, what with all the inode vs
name discussion. We really want the name, the truncate() hook is passed an
inode. We've added the name as well, but this is api sticks out like a sore
thumb. It would be nice if we could come up with a generic solution for the
all of the inode hooks, and just happen to fix this one at the same time...




richard.


-----------------------------------------------------------------------
Richard Offer                     Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________

• application/octet-stream attachment: sgi-1-add-fds.patch

• application/octet-stream attachment: sgi-2-post-hooks.patch

• application/octet-stream attachment: sgi-3-misc.patch

• application/octet-stream attachment: sgi-4-mac-before-dac.patch

• application/octet-stream attachment: sgi-5-truncate.diff

• Next message: Chris Wright: "LSM BitKeeper repository is fixed."
• Previous message: jmjonesat_private: "Re: [PATCH] net device hooks"
• Next in thread: Seth Arnold: "Re: Audit patch split into 5 parts"
• Reply: Seth Arnold: "Re: Audit patch split into 5 parts"
• Reply: Valdis.Kletnieksat_private: "Re: Audit patch split into 5 parts"
• Reply: Greg KH: "Re: Audit patch split into 5 parts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 16:06:20 PDT