Re: [PATCH] change lspp inode auditing
On Thursday 30 March 2006 09:30, Stephen Smalley wrote:
Not much value in displaying the SID, although we do it elsewhere as
well (e.g. in the AVC) as a fallback - mapping it will then require a
dump of kernel memory at that time. Likely have to call audit_panic in
this scenario to meet the criteria, but the admin can always set
audit_panic to not actually panic the machine.
I'll patch it to call audit_panic, but that is not the solution. For example,
suppose the syscall was to rename, sendfile, unlink, or link to a file...even
though we panic they were able to do the action. If it was rename a file,
they can now access the file when it comes back up and not be audited. I
think that the correct course of action is to log the number and figure out
how to close the loop on the mapping the sid to context post-mortem.
BTW, you kfree(ctx) unconditionally above, so you better initialize
it
to NULL prior to calling selinux_ctxid_to_string(). len has the wrong
type too (int vs. u32), but I think you can drop it altogether.
The called function initializes it. I'll add another init to NULL just in case
something it calls doesn't on error.
Thanks,
-Steve