Re: [RFC][PATCH 0/3] Introduce audit_syscall LSM hook

From: Adrian Drzewiecki (z@private)
Date: Tue Dec 07 2004 - 10:39:10 PST

On Mon, 6 Dec 2004, Chris Wright wrote:

> * Adrian Drzewiecki (z@private) wrote:
> > Goal: let LSMs define custom syscall auditing.
> > 
> > The patch below introduces a new LSM hook security_audit_syscall.
> > It is meant to be called from ptrace.c:do_syscall_trace(). Architectures
> > which choose to use this hook should move the syscall audit code
> > out of do_syscall_trace() into audit_syscall() and
> > define ARCH_HAVE_AUDIT_SYSCALL. See i386 and UM arch patches for details.
> Adrian, I don't quite understand the need for this patch.  Could you
> supply some more details?
> thanks,
> -chris

 For me the need for this patch was an LSM that I was working on which 
wanted to keep track of the system calls that a task called. This was the 
cleanest way for me do this. 
 The idea cam from Andrea Arcangeli's "secure computing" patch. If this 
LSM hook were in place, his patch could be implemented as a simple 
security module instead. So security_audit_syscall() could be used to 
prevent a process from making certain system calls -- creating a simple 

Adrian Drzewiecki

This archive was generated by hypermail 2.1.3 : Tue Dec 07 2004 - 10:39:48 PST