Re: [RFC][PATCH 1/3] Introduce audit_syscall LSM hook

From: Adrian Drzewiecki (z@private)
Date: Tue Dec 07 2004 - 10:44:58 PST


On Mon, 6 Dec 2004, Chris Wright wrote:

> * Adrian Drzewiecki (z@private) wrote:
[snip]
> > +static inline void security_audit_syscall(struct task_struct *p, void 
> > *regs, int entryexit)
> > +{
> > +	security_ops->audit_syscall(p, regs, entryexit);
> > +}
> > +
> 
> So, with CONFIG_SECURITY this will call into security modules.
[snip] 
> > +static inline void security_audit_syscall(struct task_struct *p, void 
> > *regs, int entryexit)
> > +{
> > +#ifdef HAVE_ARCH_AUDIT_SYSCALL
> > +	audit_syscall(p, regs, entryexit);
> > +#endif
> > +}
> 
> And w/out it's only calling arch specific code.
> 
> > +static void dummy_audit_syscall(struct task_struct *p, void *regs, int 
> > entryexit)
> > +{
> > +#ifdef HAVE_ARCH_AUDIT_SYSCALL
> > +	audit_syscall(p, regs, entryexit);
> > +#endif
> > +}
[snip]
> And nothing for capability, so it's expected to pick up default from
> dummy stub?
> 
> thanks,
> -chris

Not necessarily. audit_syscall() is not a capability check. A new LSM 
is expected to call audit_syscall() from its security_ops->audit_syscall() 
hook, if the standard syscall auditing is to be preserved. This is another 
reason why the arch portion of the code does EXPORT_SYMBOL_GPL(audit_syscall).

(oops, just noticed that my UM arch patch didn't do that...)

-- 
Adrian Drzewiecki
z@private



This archive was generated by hypermail 2.1.3 : Tue Dec 07 2004 - 10:45:19 PST