Serge Hallyn wrote: >Sorry, on a second look I notice the descriptions in security.h are far >less helpful than I'd thought! > >The new hooks allow an LSM to refuse a process the ability to: > > view a list of audit rules > add to the list of audit rules > delete an audit rule > set audit parameters (ie enable/disable audit, rate limit, etc) > create a 'login' audit record. > >The last one is the most dubious one in my mind, but we do want to >prevent a user from sending fake login audit messages, either to mislead >the auditor or to fill the log with garbage. > > Thanks for the description. >Note that the audit code (kernel/audit.c and kernel/auditsc.c) is in the >kernel now. This patch only allows LSMs to restrict processes' >interaction with the audit subsystem. At the moment, some of this >interaction depends upon CAP_SYS_ADMIN, and some (like listing the audit >rules) is always allowed. > > Ok. It took me a while to track down the audit code in question: if one googles for "linux audit" one gets a lot of diverse hits, and this one has few discerning names. I assume that this is the one you are referring to http://people.redhat.com/faith/audit/readme.txt So from what I've read, it seems that the above hooks are audit-specific, but only with respect to Rik Faith's audit patch that is now in the mainline kernel. IMHO, hooks that are audit-specific to a *module* would be fugly, but that is not the case here; these hooks are just specific to the new audit capabilities of the kernel. I.e. they are hooking the audit facility in exactly the same way that other hooks mediate e.g. inode access. So I'm ok with the architecture of this patch. Thanks, Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
This archive was generated by hypermail 2.1.3 : Wed Sep 15 2004 - 12:44:09 PDT