Re: [RFC] linux-2.6.10-auditfs-tc1.patch
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday 24 January 2005 11:29, Casey Schaufler
wrote:
> > Which capabilities?
>
> � � - The process capability set
> � � - The set of capabilties that were
> � � � actually required
Both? The capabilities required should be cast in
concrete and not
configurable. Not sure what value this adds other
than a convenience.
If I have 6 capabilities but only need one
of them to perform an action the process list
does not identify the policy that is being
overridden. If I need 2 capabilities but only
have one, the one that I don't have but needed
needs to be pointed out. The capabilities
required to perform an action will not be
sent in concrete. For example, accessing
/a/file may require different capabilities
depending on the mode of /a.
In linux you can be root and not able to add
capabilities or lose capabilities
since you gave up that capability. So, I'm not sure
if this is useful in this
situation.
You're probably right.
> > Yes. The audit program has a format_type
> > configuration option so these can be
> > written. Send the patch to me or this mail list
> > against the latest audit
> > daemon code.
>
> Hum. I'll have to see what I can do.
Just write a function similar to format_raw in
lib/libaudit.c. Around line 199
in src/auditd-event.c is a switch statement & LF_RAW
case. Just add another
case to call your formatting function. The
formatting function should malloc
& write to a buffer that the caller will free later.
That's all there is to
it.
Thank you.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com