Re: [RFC][PATCH] collect security labels on user processes generating audit messages
On Thu, 2006-02-09 at 10:13 -0600, Timothy R. Chavez wrote:
> You also need to verify the policy serial number.
Ah, thanks.
Not clear actually - the context structs and integer index values for
the components need to be tagged with a policy serial number if exported
outside of the security server, but the SID itself remains stable across
policy reloads; only the context struct contents are remapped. If
invalidated, subsequent lookup of the SID will be remapped to the
unlabeled SID's context.
I think it'd be the simplest solution, but I was a bit weary
about
adding a string param... I thought using an integer might be the path of
least resistance :)
Yes, a SID makes sense here and avoids the allocation/lifecycle pain of
strings or generic security blobs.
Actually, security_task_getsid() does exist (or did exist last time
I
updated the viro/audit-2.6 git tree).
It doesn't do what you think it does. Look at the inline documentation
for it in security.h.
--
Stephen Smalley
National Security Agency