Re: [RFC][PATCH 0/3] Introduce audit_syscall LSM hook

From: Adrian Drzewiecki (z@private)
Date: Wed Dec 08 2004 - 11:59:56 PST


> * Adrian Drzewiecki (z@private) wrote:
> > > But what is wrong with the audit subsystem that is already in the kernel
> > > tree?  It should provide for this kind of notification, right?
> 
> It only does notification.  I belive Adrian's goals are to drop invalid
> syscall requests on the floor and return.
> 
> >  There is nothing wrong with the audit subsystem. The only problem that 
> > I have is the lack of system-call sandboxing in LSM.
> 
> We intentionally chose a lower level for interposition.  For purely
> disabling syscalls, was there a problem with Andrea's work?
> 
> thanks,
> -chris

Chris,
Last I checked, Andrea's patch has a fixed array of permitted syscalls. I 
would like more flexibility than that. Perhaps I should've based my work 
on his, and created a security_seccomp() call instead? Or maybe 
security_syscall_enter() and security_syscall_exit() ?

(btw, Andrea's seccomp patch can be viewed at 
http://www.kernel.org/pub/linux/kernel/people/andrea/patches/v2.6/2.6.9-rc4/seccomp)

-Adrian



This archive was generated by hypermail 2.1.3 : Wed Dec 08 2004 - 12:00:16 PST