Re: [PATCH] LSM hooks for audit

On Wed, 2004-09-15 at 09:59, Serge Hallyn wrote:
> Attached is a patch which provides LSM controls over actions related to
> the new audit framework.  As a specific example, we might like to have
> an "audit role", enabled by selinux or some other LSM, which would be
> the only role allowed to add or delete filter rules.
> 
> What do people think about adding these hooks, both in general and these
> hooks specifically?

In general:  good idea.  Specifically:

        case AUDIT_SET:
-               if (!capable(CAP_SYS_ADMIN))
-                       return -EPERM;
+               err = security_audit_set(status_get->mask);
+               if (err)
+                       return err;
                status_get   = (struct audit_status *)data;

Hook is called _before_ setting of status_get?  And what checks that the
data length is at least sizeof(struct audit_status)?  Looks like the
existing code is assuming that the caller didn't send a short message.

@@ -364,8 +365,9 @@ static int audit_receive_msg(struct sk_b
                audit_log_end(ab);
                break;
        case AUDIT_LOGIN:
-               if (!capable(CAP_SYS_ADMIN))
-                       return -EPERM;
+               err = security_audit_login();
+               if (err)
+                       return err;
                login = (struct audit_login *)data;
                ab = audit_log_start(NULL);
                if (ab) {

Why not call the hook after extracting the data (and again, checking the
length) and pass the audit_login info to the hook.

I would also suggest a hook on AUDIT_USER.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency