Re: [PATCH] Reporting file descriptors created by pipe and socketpair

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ramsdell@mitre.org (John D. Ramsdell)
To: Alexander Viro <aviro@redhat.com>
Cc: bsniffen@mitre.org, Linux Audit <linux-audit@redhat.com>
Subject: Re: [PATCH] Reporting file descriptors created by pipe and socketpair
Date: 12 Sep 2006 17:05:35 -0400	[thread overview]
Message-ID: <ogtr6ygyew0.fsf@divan.mitre.org> (raw)
In-Reply-To: <20060912191225.GL4144@devserv.devel.redhat.com>

Alexander Viro <aviro@redhat.com> writes:

> Indeed?  And how, pray tell, do you handle e.g. processes A and B
> sending SCM_RIGHTS datagrams to C at the same moment?

We don't.  We do not try to get all information flows.  Our goal is to
recognize common information flow patterns, and suggest SELinux policy
based on the patterns we find.  For example, the Jabber Server has
five main processes, and one them routes information between the other
four.  We can recognize this pattern, and suggest types and allow
rules consistent with this hub-and-spoke design pattern.

Here is another major reason to prefer autrace over strace:
performance.  We tried to strace a run of an Apache Web Server
compiled with threads support enabled.  It was a disaster.  The only
way we could get useful data was to strace a single threaded version
of the web server.  I bet we could get useful data on run of a
multithreaded web server using autrace.

John

next prev parent reply	other threads:[~2006-09-12 21:05 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-09-12 16:07 [PATCH] Reporting file descriptors created by pipe and socketpair John D. Ramsdell
2006-09-12 16:21 ` Alexander Viro
2006-09-12 17:41   ` Steve Grubb
2006-09-12 18:25   ` John D. Ramsdell
2006-09-12 19:12     ` Alexander Viro
2006-09-12 21:05       ` John D. Ramsdell [this message]
2006-09-12 19:22   ` John D. Ramsdell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ogtr6ygyew0.fsf@divan.mitre.org \
    --to=ramsdell@mitre.org \
    --cc=aviro@redhat.com \
    --cc=bsniffen@mitre.org \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.