On 5/5/06, Linda Knippers <[EMAIL PROTECTED]> wrote:
The following patch addresses most of the issues with the IPC_SET_PERM records as described in: https://www.redhat.com/archives/linux-audit/2006-May/msg00010.html
Hi Linda- I apologize for the delay in my response. I'm pretty much permanently away from Audit-related work, and just now got a chance to respond to this. First, let me point you to a thread wherein I explained why I made the audit ipc changes that I did (in case you missed it the first time around). It starts here: https://www.redhat.com/archives/linux-audit/2006-March/msg00088.html That said, thanks for testing some of this out more thoroughly and posting your findings.
To summarize, I made the following changes: 1. Changed sys_msgctl() and semctl_down() so that an IPC_SET_PERM record is emitted in the failure case as well as the success case. This matches the behavior in sys_shmctl(). I could simplify the code in sys_msgctl() and semctl_down() slightly but it would mean that in some error cases we could get an IPC_SET_PERM record without an IPC record and that seemed odd.
I think this is ok.
2. No change to the IPC record type, given no feedback on the backward compatibility question.
I'm not one to speak authoritatively about compatibility issues... But I do prefer the more descriptive AUDIT_IPC_SET_PERM type, as it
more accurately explains what the record is. Someone might complain at some point about changing the record type, but there will be considerably more invasive API changes elsewhere between the 2.6.5 and the 2.6.16 kernels (and the RHEL4/RHEL5 kernels).
3. Removed the qbytes field from the IPC record. It wasn't being set and when audit_ipc_obj() is called from ipcperms(), the information isn't available. If we want the information in the IPC record, more extensive changes will be necessary. Since it only applies to message queues and it isn't really permission related, it doesn't seem worth it.
I agree with you here. However, I resisted the urge to remove the qbytes field when I reworked the ipc audit code as I did not know __why__ this was being saved. I assumed this was required by CAPP for one reason or another. I personally don't find it a very interesting field to capture. But I encourage you to review this with Klaus (or another of the CAPP/LSPP experts).
4. Removed the obj field from the IPC_SET_PERM record. This means that the kern_ipc_perm argument is no longer needed.
Hmm... This is probably ok, as long as you can __guarantee__ that an IPC record will always closely follow an IPC_SET_PERM (and can be associated together). The object label is needed for LSPP. If that can be found in an associated record, so be it. Looking at your example results, it seems ok.
5. Replaced the spaces in the IPC_SET_PERM field names with underscores.
Thanks, that was my oversight. There should definitely be underscores rather than spaces. :-Dustin -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
