Re: [RFC][PATCH 0/3] Introduce audit_syscall LSM hook

From: Greg KH (greg@private)
Date: Wed Dec 08 2004 - 11:33:27 PST


On Tue, Dec 07, 2004 at 01:39:10PM -0500, Adrian Drzewiecki wrote:
> On Mon, 6 Dec 2004, Chris Wright wrote:
> 
> > * Adrian Drzewiecki (z@private) wrote:
> > > Goal: let LSMs define custom syscall auditing.
> > > 
> > > The patch below introduces a new LSM hook security_audit_syscall.
> > > It is meant to be called from ptrace.c:do_syscall_trace(). Architectures
> > > which choose to use this hook should move the syscall audit code
> > > out of do_syscall_trace() into audit_syscall() and
> > > define ARCH_HAVE_AUDIT_SYSCALL. See i386 and UM arch patches for details.
> > 
> > Adrian, I don't quite understand the need for this patch.  Could you
> > supply some more details?
> > 
> > thanks,
> > -chris
> 
> 
> Chris,
>  For me the need for this patch was an LSM that I was working on which 
> wanted to keep track of the system calls that a task called. This was the 
> cleanest way for me do this. 

But what is wrong with the audit subsystem that is already in the kernel
tree?  It should provide for this kind of notification, right?

thanks,

greg k-h



This archive was generated by hypermail 2.1.3 : Wed Dec 08 2004 - 11:34:19 PST