#ifdef CONFIG_NF_CONNTRACK_SECMARK
if (skb->secmark)
audit_log_secctx(ab,skb->secmark);
#endif
Thus, discarding the result (rc), unless we are interested in the error
code, which I don't think is the case here. Would everyone be happy
with
this?
Actually just make it a
Right, so the function you suggested yesterday (audit_log_secctx) should be
added in audit.c in its entirety, and xt_AUDIT.c should just have something
like:
#ifdef CONFIG_NF_CONNTRACK_SECMARK
if (skb->secmark)
audit_log_secctx(ab,skb->secmark);
#endif
Thus, discarding the resu
On Thu, Jun 9, 2011 at 10:08 AM, Mr Dash Four
wrote:
>
>>> Just to make sure, so the conclusion is that the patch is fine as
>>> it is and anything related to unconvertible secids will be handled
>>> by SELinux internally?
>>>
>>>
>>
>> No. This patch does not get my ACK. Steve is right that sil
Just to make sure, so the conclusion is that the patch is fine as
it is and anything related to unconvertible secids will be handled
by SELinux internally?
No. This patch does not get my ACK. Steve is right that silently
dropping information is a big big no no for the audit system and
On Thu, Jun 9, 2011 at 8:28 AM, Patrick McHardy wrote:
> On 08.06.2011 21:39, Eric Paris wrote:
>> On Wed, Jun 8, 2011 at 3:28 PM, Steve Grubb wrote:
>>> On Wednesday, June 08, 2011 03:08:38 PM Eric Paris wrote:
On Wed, Jun 8, 2011 at 3:00 PM, Mr Dash Four
wrote:
>> int audit_
On Wed, Jun 8, 2011 at 3:28 PM, Steve Grubb wrote:
> On Wednesday, June 08, 2011 03:08:38 PM Eric Paris wrote:
>> On Wed, Jun 8, 2011 at 3:00 PM, Mr Dash Four
>>
>> wrote:
>> >> int audit_log_secctx(struct auditbuffer *ab, u32 secid)
>> >> {
>> >> int len, rc;
>> >> char *ctx;
>> >>
>> >>
On Wednesday, June 08, 2011 03:08:38 PM Eric Paris wrote:
> On Wed, Jun 8, 2011 at 3:00 PM, Mr Dash Four
>
> wrote:
> >> int audit_log_secctx(struct auditbuffer *ab, u32 secid)
> >> {
> >>int len, rc;
> >>char *ctx;
> >>
> >>rc = security_secid_to_secctx(sid, &ctx, &len);
> >>if
The LSM might report and error. It's up to the caller to figure out
how to deal with that error. In this case we want to use the audit
system so it's up to the audit system how to handle that error. This
helper function says the audit system should log it if it work and
should audit_panic() i
On Wed, Jun 8, 2011 at 3:00 PM, Mr Dash Four
wrote:
>
>> int audit_log_secctx(struct auditbuffer *ab, u32 secid)
>> {
>> int len, rc;
>> char *ctx;
>>
>> rc = security_secid_to_secctx(sid, &ctx, &len);
>> if (rc) {
>> audit_panic("Cannot convert secid to context");
>> } else
int audit_log_secctx(struct auditbuffer *ab, u32 secid)
{
int len, rc;
char *ctx;
rc = security_secid_to_secctx(sid, &ctx, &len);
if (rc) {
audit_panic("Cannot convert secid to context");
} else {
audit_log_format(ab, " subj=%s", ctx);
securit
how is this error preserved in the audit trail?
Look at my patch again - if the secctx cannot be retrieved, either
because a) it does not exists; or b) because of internal error or
otherwise, then it is not logged in the audit log as part of the
NETFILTER_PKT message (the fact there is int
On Wednesday, June 08, 2011 02:13:18 PM Casey Schaufler wrote:
> On 6/8/2011 7:49 AM, Steve Grubb wrote:
> > On Tuesday, June 07, 2011 06:32:35 AM Mr Dash Four wrote:
> >> Add SELinux context support to AUDIT target - 3rd revision (style-type
> >> changes made *only* since 2nd revision of this patc
On Wed, Jun 8, 2011 at 2:13 PM, Casey Schaufler wrote:
> On 6/8/2011 7:49 AM, Steve Grubb wrote:
>> On Tuesday, June 07, 2011 06:32:35 AM Mr Dash Four wrote:
>>> Add SELinux context support to AUDIT target - 3rd revision (style-type
>>> changes made *only* since 2nd revision of this patch). Typica
On 6/8/2011 7:49 AM, Steve Grubb wrote:
> On Tuesday, June 07, 2011 06:32:35 AM Mr Dash Four wrote:
>> Add SELinux context support to AUDIT target - 3rd revision (style-type
>> changes made *only* since 2nd revision of this patch). Typical (raw
>> auditd) output after applying this patch would be:
It doesn't matter if its private. If its important enough to log to the audit system,
we can't let something like this slide.
Oh, yes it does! For you may be it doesn't, but that doesn't necessarily
mean that applies to everyone else.
Besides, this numerical representation isn't reliable
On Wednesday, June 08, 2011 12:12:39 PM Mr Dash Four wrote:
> Mr Dash Four wrote:
> > Logging the internal numerical representation of secctx is, as I have
> > already stated about 3 times by now, exposing internal
> > (private-to-the-kernel-only) information to userspace. That cannot be
> > allowe
Mr Dash Four wrote:
Logging the internal numerical representation of secctx is, as I have
already stated about 3 times by now, exposing internal
(private-to-the-kernel-only) information to userspace. That cannot be
allowed.
Besides, this numerical representation isn't reliable - these numb
On Tuesday, June 07, 2011 06:32:35 AM Mr Dash Four wrote:
> Add SELinux context support to AUDIT target - 3rd revision (style-type
> changes made *only* since 2nd revision of this patch). Typical (raw
> auditd) output after applying this patch would be:
> @@ -163,6 +170,15 @@ audit_tg(struct sk
Add SELinux context support to AUDIT target - 3rd revision (style-type changes
made *only* since 2nd revision of this patch). Typical (raw auditd) output
after applying this patch would be:
type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52
inif=? outif=eth0 saddr=10.1.1
19 matches
Mail list logo
