1:10 p.m.
Based on earlier discussion, we have a few options:
1. hack netlink to send loginuid along with credentials
2. Get the loginuid from the task struct by pid at audit_receive_msg
(), and require the programs sending AUDIT_USER messages to make sure
that the process does not exit until a reply has been received.
3. Have the user-space programs send loginuid (as received
from /proc/$$/loginuid) in the actual AUDIT_USER message.
Do we have a preference? (1) is the most invasive, and would require
going through netdev, but seems the cleanest to me. On the other hand,
we could just say we're going with (3) as a way to put off having to
make a decision...
thanks,
-serge
--
Serge Hallyn <serue(a)us.ibm.com>
noon
On Fri, 2005-01-14 at 13:10 -0600, Serge Hallyn wrote:
Do we have a preference? (1) is the most invasive, and would
require
going through netdev, but seems the cleanest to me. On the other hand,
we could just say we're going with (3) as a way to put off having to
make a decision...
Am I right in thinking that option 1 is the only one which guarantees
that the loginuid is correct, and not taken from a later task which
happens to have the same pid? That narrows the field of acceptable
options a little.
Do we have to hack netlink though? Can't we include the loginuid in the
messages we send via netlink instead? Or was that what you meant by
option 3?
--
dwmw2
12:02 p.m.
* Serge Hallyn (serue(a)us.ibm.com) wrote:
Based on earlier discussion, we have a few options:
1. hack netlink to send loginuid along with credentials
2. Get the loginuid from the task struct by pid at audit_receive_msg
(), and require the programs sending AUDIT_USER messages to make sure
that the process does not exit until a reply has been received.
3. Have the user-space programs send loginuid (as received
from /proc/$$/loginuid) in the actual AUDIT_USER message.
Do we have a preference? (1) is the most invasive, and would require
going through netdev, but seems the cleanest to me. On the other hand,
we could just say we're going with (3) as a way to put off having to
make a decision...
Makes most sense to have kernel send it, otherwise it's a less trusted
value (i.e. 3 sounds a bit sketchy). Whether it's done in credentials
or in payload...dunno.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
12:04 p.m.
On Fri, 2005-01-14 at 14:10, Serge Hallyn wrote:
Based on earlier discussion, we have a few options:
1. hack netlink to send loginuid along with credentials
2. Get the loginuid from the task struct by pid at audit_receive_msg
(), and require the programs sending AUDIT_USER messages to make sure
that the process does not exit until a reply has been received.
3. Have the user-space programs send loginuid (as received
from /proc/$$/loginuid) in the actual AUDIT_USER message.
Do we have a preference? (1) is the most invasive, and would require
going through netdev, but seems the cleanest to me. On the other hand,
we could just say we're going with (3) as a way to put off having to
make a decision...
Adding a loginuid to the netlink_skb_parms seems best, and doesn't
require lifecycle management (unlike adding a generic security field).
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
7328
days inactive
7328
days old
linux-audit@lists.linux-audit.osci.io
3 comments
4 participants
participants (4)
-
Chris Wright -
David Woodhouse -
Serge Hallyn -
Stephen Smalley