Re: [PATCH] LSM hooks for audit

Serge Hallyn wrote:

> Sorry, on a second look I notice the descriptions in security.h are far
> less helpful than I'd thought!
>
> The new hooks allow an LSM to refuse a process the ability to:
>
>   view a list of audit rules
>   add to the list of audit rules
>   delete an audit rule
>   set audit parameters (ie enable/disable audit, rate limit, etc)
>   create a 'login' audit record.
>
> The last one is the most dubious one in my mind, but we do want to
> prevent a user from sending fake login audit messages, either to mislead
> the auditor or to fill the log with garbage.
>  
Thanks for the description.

> Note that the audit code (kernel/audit.c and kernel/auditsc.c) is in the
> kernel now.  This patch only allows LSMs to restrict processes'
> interaction with the audit subsystem.  At the moment, some of this
> interaction depends upon CAP_SYS_ADMIN, and some (like listing the audit
> rules) is always allowed.
>  
Ok. It took me a while to track down the audit code in question: if one 
googles for "linux audit" one gets a lot of diverse hits, and this one 
has few discerning names. I assume that this is the one you are 
referring to http://people.redhat.com/faith/audit/readme.txt

So from what I've read, it seems that the above hooks are 
audit-specific, but only with respect to Rik Faith's audit patch that is 
now in the mainline kernel. IMHO, hooks that are audit-specific to a 
*module* would be fugly, but that is not the case here; these hooks are 
just specific to the new audit capabilities of the kernel. I.e. they are 
hooking the audit facility in exactly the same way that other hooks 
mediate e.g. inode access.

So I'm ok with the architecture of this patch.

Thanks,
   Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com