Hmm, I don't see where I ever replied to this, sorry.
My first attempt had used LSM hooks. I thought there had been actual
requests to move from lsm hooks to capable(), but now I can't find that,
so maybe there never were such requests.
Are you considering posting a patch to convert the CAP_AUDIT_* checks
with lsm hooks? The other audit actions can still be distinguished
(though not as nicely) through selinux_netlink_send, but as you say, not
setting and reading loginuid, which I think could only be done through
policy at the moment.
-serge
On Tue, 2005-01-11 at 17:48 -0600, Darrel Goeddel wrote:
Serge Hallyn wrote:
> Attached is a first stab at setting loginuid through /proc/$$/loginuid.
> Compiled and tested here.
>
I would recommend replacing the capable(CAP_AUDIT_CONTROL) call in
proc_loginuid_write with a LSM hook - possibly security_audit_set_loginid(...).
I do not think we even need the check in proc_loginuid_read. I previously
stated that level of responsibility implied by setting the login id lies
somewhere between writing an audit message and controlling the audit system. My
intention was to further segregate the operations through SELinux. Since this
is no longer a netlink message, SELinux can not distinguish the setting of a
loginid from the other audit control operations. In fact, it would be nice to
see all of the audit code not using capable at all, but rather using meaningful
LSM hooks that result in capable() calls in the dummy and capabilities module
(this would include the previous patch for audit.c and friends - sorry for not
thinking of this earlier). This will allow LSMs to implement fine-grained
control over the configuration of the audit subsystem that cannot be achieved
though the use of capable() - without adding a few more capabilities that is,
but there is only one left :)
--
Serge Hallyn <serue(a)us.ibm.com>