Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext
On 10/12/05, Klaus Weidner <klaus(a)atsec.com> wrote:
On Fri, Oct 07, 2005 at 01:24:13PM -0500, Dustin Kirkland wrote:
> I'm addressing Amy's concerns and attaching an updated patch with the
> editions discussed inline.
In an IRC discussion about IPC object audit today, Chris Wright mentioned
that he's concerned about multiple or missing records and also general
code aesthetics.
I'm not very familiar with the code, but I think it may be an option to
put the hooks in the *_checkid() and *get() functions instead of hooking
ipcperm(), those seem to be used more consistently. It would mean a
minimal slowdown in non-permission-checking calls as a tradeoff for
a cleaner interface, assuming that this would indeed get rid of
duplication.
Stephen-
I'm curious about your take on this... The code is hooked in
ipcperms() and near the DAC checks mainly because of a discussion on
the (then closed) LSPP list on/around May 19, 2005. Just wondering if
you have any objections.
Thanks,
:-Dustin