Serge Hallyn wrote:
Perhaps we should print out current->cap_effective? Or is that
overkill? Or perhaps an actual "security_identify_process(task, buf,
len)" hook would be useful, where commoncap could print out the
capabilities, and selinux could print out the context. Maybe that's
closer to debug info...
This hook, and a similar security_identify_inode(...), hook will be necessary
for an LSM to go through a LSPP evaluation. The label information is required
to be included in the audit record for all subjects/objects/information involved
in the event. I have a quick-and-dirty patch that implemented this
functionality. Note that this patch uses pre-allocated 1K buffers (limits info
and sucks up a lot of memory). A proper memory allocation scheme needs to be
worked up and the patch probably needs to be rebased to newer code. I planned
on getting back to this in the near future. If someone else is working on this
functionality, please let me know, otherwise I can bump this up on my TODO list.
This patch also includes uid/gid/mode for filesystem objects. I felt that this
was a needed addition to determine the cause of filesystem related denials. Do
others agree with this addition to the records, and is there anything else that
we could possibly want?
--
Darrel