Re: [Part1 PATCH 00/22] Add namespace support for audit

2013-06-20 Thread Eric Paris
On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote: On 06/20/2013 04:51 AM, Eric Paris wrote: On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote: On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote: This patchset is first part of namespace support for audit. in this patchset,

[Part1 PATCH 00/22] Add namespace support for audit

2013-06-20 Thread Gao feng
This patchset is first part of namespace support for audit. in this patchset, the mainly resources of audit system have been isolated. the audit filter, rules havn't been isolated now. It will be implemented in Part2. We finished the isolation of user audit message in this patchset. I choose to

Re: [Part1 PATCH 00/22] Add namespace support for audit

2013-06-20 Thread Aristeu Rozanski
On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote: This patchset is first part of namespace support for audit. in this patchset, the mainly resources of audit system have been isolated. the audit filter, rules havn't been isolated now. It will be implemented in Part2. We finished the

Re: [Part1 PATCH 00/22] Add namespace support for audit

2013-06-20 Thread Eric W. Biederman
Eric Paris epa...@redhat.com writes: On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote: On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote: This patchset is first part of namespace support for audit. in this patchset, the mainly resources of audit system have been isolated.

[PATCH 2/3] integrity: move integrity_audit_msg()

2013-06-20 Thread Mimi Zohar
This patch moves the integrity_audit_msg() function and defintion to security/integrity/, the parent directory, renames the 'ima_audit' boot command line option to 'integrity_audit', and fixes the Kconfig help text to reflect the actual code. Changelog: - Fixed ifdef inclusion of

[PATCH 3/3] evm: audit integrity metadata failures

2013-06-20 Thread Mimi Zohar
Before modifying an EVM protected extended attribute or any other metadata included in the HMAC calculation, the existing 'security.evm' is verified. This patch adds calls to integrity_audit_msg() to audit integrity metadata failures. Reported-by: Sven Vermeulen sven.vermeu...@siphos.be

Re: [Part1 PATCH 00/22] Add namespace support for audit

2013-06-20 Thread Gao feng
On 06/20/2013 09:02 PM, Eric Paris wrote: On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote: On 06/20/2013 04:51 AM, Eric Paris wrote: On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote: On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote: This patchset is first part of namespace

Re: [Part1 PATCH 00/22] Add namespace support for audit

2013-06-20 Thread Gao feng
On 06/21/2013 06:01 AM, Eric W. Biederman wrote: Gao feng gaof...@cn.fujitsu.com writes: On 06/20/2013 11:02 AM, Gao feng wrote: If we don't tie audit to user namespace, there is still one problem. One more problem. some audit messages are generated by some net subsystem such as netfilter.