On Monday 29 October 2007 01:20:58 pm Tony Jones wrote: > > The problem is that removing that flag makes the children unauditable in > > the future. The only place that flag gets set is during fork. > > I don't see this.
If the child does not have the TIF_SYSCALL_AUDIT flag, it never goes into audit_syscall_entry. It becomes unauditable. > The case that would be undesirable would be for a task to have an audit > context but to not have the thread flag enabled. That would just be a small allocation of memory that will be returned when the process exits. From an auditing PoV, something that is undesirable is the inability to audit a process that you want to audit. > > Unless I'm missing something, to make all children auditable again would > > mean stopping all processes and or'ing that flag into all thread info > > areas. > > I think you are. Or maybe the code was different two years ago so that the > above made sense. > > In the above scenario, audit is disabled, a new child is forked, we bail > early so there is no audit context (and now there is no flag in the thread > area). Currently there is no way this task is ever going to be audited as > there is no audit context. So when audit is re-enabled, how do you make that task auditable? > If this task forks a new child, at this point the value of audit enabled > will determine if there should be a context allocated and it will allocate > the TIF flag also. In the new child, but not the parent. > I don't see your stopping all processes scenario. That is so you can walk the process table and "or" the bit in unconditionally. All processes need to be auditable or you've got a security hole. -Steve - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/