Re: [RFC] linux-2.6.10-auditfs-tc1.patch
On Friday 21 January 2005 10:50, Serge Hallyn wrote:
Perhaps we should print out current->cap_effective? Or is that
overkill? Or perhaps an actual "security_identify_process(task, buf,
len)" hook would be useful, where commoncap could print out the
capabilities, and selinux could print out the context. Maybe that's
closer to debug info...
Based on previous discussions, I think this would be required for LSPP. If we
are going for LSPP after meeting CAPP, it wouldn't be bad to start getting
some things in place.
It sounds like he's worried about the 7 line audit_log_format
line he
has, but I think that's all good info.
I think I'd like to make a change to the way that the kernel sends netlink
packets. It would be far more efficient for log_end to send multiple records
in 1 packet instead of 7 separate packets. Especially if the admin has
configured for full sync writing.
Are we satisfied with saying that 'mount' could be modified
in
userspace to do the right thing in recreating watch entries?
I don't think we can/should touch mount.
Perhaps we could even use inotify + a userspace daemon for the mkdir
/etc case, to create new audit entries based on some config file.
The audit daemon could be made to handle this. We just select on 2 different
descriptors & process accordingly. That is, if we need to do this...
-Steve