Re: audit-ptrace patch (untested)
Alexander Viro wrote: [Tue Mar 13 2007, 03:39:09PM EDT]
On Tue, Mar 13, 2007 at 03:00:46PM -0400, Amy Griffis wrote:
> > + if (sid)
> > + selinux_sid_to_string(sid, &context->obj_ctx, &len);
> > +}
>
> Why did you choose to do the sid to string conversion at collection
> time, rather than waiting for audit_log_exit?
Narrower window for sid_to_context to change...
Okay, I hadn't thought of that. But is it really more of a problem for
processes than for ipc or inodes? It's true that processes can change
their context, but that would change the sid, and we've already
collected that data. The sid-to-context-string mapping will only
change on policy load. I see the argument for narrowing the window,
but I'd like to see audit pick one way and stick to it.
Amy