Serge Hallyn wrote:
>Sorry, on a second look I notice the descriptions in security.h are far
>less helpful than I'd thought!
>
>The new hooks allow an LSM to refuse a process the ability to:
>
> view a list of audit rules
> add to the list of audit rules
> delete an audit rule
> set audit parameters (ie enable/disable audit, rate limit, etc)
> create a 'login' audit record.
>
>The last one is the most dubious one in my mind, but we do want to
>prevent a user from sending fake login audit messages, either to mislead
>the auditor or to fill the log with garbage.
>
>
Thanks for the description.
>Note that the audit code (kernel/audit.c and kernel/auditsc.c) is in the
>kernel now. This patch only allows LSMs to restrict processes'
>interaction with the audit subsystem. At the moment, some of this
>interaction depends upon CAP_SYS_ADMIN, and some (like listing the audit
>rules) is always allowed.
>
>
Ok. It took me a while to track down the audit code in question: if one
googles for "linux audit" one gets a lot of diverse hits, and this one
has few discerning names. I assume that this is the one you are
referring to http://people.redhat.com/faith/audit/readme.txt
So from what I've read, it seems that the above hooks are
audit-specific, but only with respect to Rik Faith's audit patch that is
now in the mainline kernel. IMHO, hooks that are audit-specific to a
*module* would be fugly, but that is not the case here; these hooks are
just specific to the new audit capabilities of the kernel. I.e. they are
hooking the audit facility in exactly the same way that other hooks
mediate e.g. inode access.
So I'm ok with the architecture of this patch.
Thanks,
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix http://immunix.com
This archive was generated by hypermail 2.1.3 : Wed Sep 15 2004 - 12:44:09 PDT