On Tue, Mar 05, 2013 at 10:44:35PM -0800, Tyler Hicks wrote: > + *allowed = mask & (allow & ~deny) ? 1 : 0; > + if (!(*allowed)) > + audit = 0xFFFFFFFF; > + *audited = mask & (audit & ~quiet) ? 1 : 0; > + > + return 0; > +}
When I first saw this, I thought it through, and it made sense.
But it kept me awake last night, wondering about it.
It conflates the two concepts of "report this denial as usual" and "the
admin has written policy asking for this to be reported".
So long as everything is reported, the right thing happens in the end.
But I could easily see a trusted program wanting to rate limit the
"usual denials" to one per {client, method} per second. But if the
admin has asked specific resource denials to be audited, perhaps it
ought to log on every attempt, regardless of rate limiting?
Am I just overcomplicating things?
Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
