IPC hooks [Re: Another slab size-32 leak 2.6.16-rc4-mm2]

On Tue, Mar 07, 2006 at 08:55:46AM -0500, Stephen Smalley wrote: The "FSP mapping" document used for Linux CAPP evaluations classifies syscalls as security relevant or not. The evaluator used it as one of the inputs to determine if test coverage (including audit) was complete. The published ones I'm aware of are the following for RHEL3 and SLES9, maybe someone could publish newer ones? (hint, hint): http://www.ibm.com/developerworks/library/os-ltc-security/ ftp://www6.software.ibm.com/software/developer/library/os-ltc-security/sl... ftp://www6.software.ibm.com/software/developer/library/os-ltc-security/RH... It doesn't specifically examine sub-operations of syscalls separately, such as SHM_LOCK, so it may not be sufficient in this case. CAPP obviously didn't care about labels, and the syscall itself was always audited. So I guess this would need some case by case analysis :-( It would be preferable to have a central point that guarantees that the audit record will always be complete. This gets us back to the discussion in October that Amy already referred to. I had mentioned the *_checkid() and *get() functions which looked like promising candidates for hooks since they always need to be called before doing something to an object: https://www.redhat.com/archives/linux-audit/2005-October/msg00041.html I don't know the code well enough to know if that works or would have bad side effects, any comments? -Klaus