On Sat, Jan 08, 2005 at 08:57:34AM -0500, Steve Grubb wrote:
On Friday 07 January 2005 18:09, Serge E. Hallyn wrote:
> It would come from find_task_by_pid(pid)->audit_context->loginuid.
>
> But only if we need it, which is what I'm asking :)
>
> (LSPP seems to require it)
OK I see.
But then aren't we back to trusting task-pid is the same one that sent the
packet? What if task-pid exits immediately after sending the packet (and
before audit processes the message)? I think it has to be collected
af_netlink.c since netlink is asynchronous.
If the kernel can't reliably access the needed information, the audit
userspace message function must be modified to work synchronously, so
that the trusted program doesn't proceed until the kernel had a chance to
pick up the data. Keep in mind that only trusted processes can send these
messages, so it's okay to require them to follow certain rules.
It's definitely a CAPP and LSPP requirement to have the correct user
identity contained reliably in the audit record. Having it glued together
in userspace would be acceptable as long as it's transparent to the admin
and doesn't have problems with log file rollover etc.
-Klaus