On Saturday, June 18, 2011 08:08:05 AM Mr Dash Four wrote:
> +#ifdef CONFIG_SECURITY
> +/**
> + * audit_log_secctx - Converts and logs SELinux context
> + * @ab: audit_buffer
> + * @secid: security number
> + *
> + * This is a helper function that calls security_secid_to_secctx to
> convert secid to secctx + * and then adds the (converted) SELinux context
> to the audit log + * by calling audit_log_format, thus also preventing
> leak of internal secid to userspace. + * If secid cannot be converted
> audit_panic is called.
> + */
> +void audit_log_secctx(struct audit_buffer *ab, u32 secid)
> +{
> + u32 len;
> + char *secctx;
> +
> + if (security_secid_to_secctx(secid, &secctx, &len)) {
> + audit_panic("Cannot convert secid to context");
> + } else {
> + audit_log_format(ab, " obj=%s", secctx);
> + security_release_secctx(secctx, len);
Eric,
Do you think this should be hardcoded to be obj? Would we ever log the subj? Or should
obj be part of the function name to make it clear which piece is getting logged?
-Steve
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
