On 2022/09/09 7:56, Casey Schaufler wrote:
> Good idea. I'm reading the official how-to-write-a-syscall documentation.
Can't we use prctl() syscall? We can assign an LSM ID when an (built-in or
loadable) LSM
is loaded, and pass that LSM ID as one of arguments for prctl().
Since we have security_task_prctl(option, arg2, arg3, arg4, arg5) inside
prctl(), an LSM
which was assigned that LSM ID upon load checks arguments (including PID
argument).
That will be something like ioctl() without open("/proc/pid/*/attr/*").
--
Linux-audit mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/linux-audit
