> -----Original Message----- > From: Casey Schaufler [mailto:casey@xxxxxxxxxxxxxxxx] > Sent: Monday, August 19, 2019 4:52 PM > To: Roberto Sassu <roberto.sassu@xxxxxxxxxx>; linux- > integrity@xxxxxxxxxxxxxxx > Cc: linux-security-module@xxxxxxxxxxxxxxx; zohar@xxxxxxxxxxxxx; Dmitry > Kasatkin <dmitry.kasatkin@xxxxxxxxxx>; Silviu Vlasceanu > <Silviu.Vlasceanu@xxxxxxxxxx> > Subject: Re: [WIP][RFC][PATCH 1/3] security: introduce call_int_hook_and() > macro > > On 8/18/2019 4:57 PM, Roberto Sassu wrote: > > The LSM hooks audit_rule_known() and audit_rule_match() define 1 as > > result for successful operation. However, the security_ functions use > > call_int_hook() which stops iterating over LSMs if the result is not > > zero. > > > > Introduce call_int_hook_and(), so that the final result returned by > > the security_ functions is 1 if all LSMs return 1. > > I don't think this is what you want. You want an audit record generated if > any of the security modules want one, not only if all of the security modules > want one. Right, it would be better if I can specify the prefix of the LSM that should execute the audit_rule_match() hook. For example, I would like to specify in the IMA policy: measure subj_type=infoflow:tcb 'infoflow:tcb' would be the value of the 'lsmrule' parameter of security_audit_rule_match(). The rule would be evaluated only by Infoflow LSM, and not SELinux. Roberto
