From: Joy Latten <latten@austin.ibm.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, linux-audit@redhat.com, sgrubb@redhat.com
Subject: Re: [PATCH] improved xfrm_audit_log() patch
Date: Thu, 23 Aug 2007 12:15:10 -0500 [thread overview]
Message-ID: <1187889310.15699.735.camel@faith.austin.ibm.com> (raw)
In-Reply-To: <20070822.200502.35874480.davem@davemloft.net>
On Wed, 2007-08-22 at 20:05 -0700, David Miller wrote:
> I would suggest, at this point, to make purpose built situation
> specific interfaces that pass specific objects (the ones being
> operated upon) to the audit layer.
>
> Let the audit layer pick out the bits it actually wants in the
> format it likes.
>
> For example, if we're creating a template, pass the policy and
> the templace to the audit layer via a function called:
>
> xfrm_audit_template_add()
>
> or something like that. That function only needs two arguments.
>
> All of these call sites will rarely need more than 2 or 3 arguments in
> any given situation, and the on-stack audit thing will be gone too.
>
> This is the suggestion I made to you over a month ago, but you choose
> to do the on-stack thing.
>
I misunderstood. My bad.
For clarification, I plan on removing xfrm_audit_log() and replacing it
with more specific ipsec audit interfaces.
For example, when auditing the addition of a policy, either
xfrm_user_audit_policy_add(xp, result, skb) or
pfkey_audit_policy_add(xp, result) will get called.
I need two because xfrm_user gets loginuid/secid from netlink/skb
and pfkey gets it from audit_get_loginuid().
Each will setup and format audit buffer according
to what they want.
Also, for deleting, there will be pfkey_audit_policy_delete(xp, result)
and xfrm_user_audit_policy_delete(xp, result, skb).
> You must make this cost absolutely nothing when it is either
> not configured, and have next to no cost when not enabled at
> run time. And it is very doable.
The new ipsec audit functions can be ifdef'd with CONFIG_AUDITSYSCALL
just as xfrm_audit_log() was so that there is no cost when
audit is not configured.
Let me know if this is better.
Regards,
Joy
next prev parent reply other threads:[~2007-08-23 17:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-15 16:16 [PATCH] improved xfrm_audit_log() patch Joy Latten
2007-08-21 7:24 ` David Miller
2007-08-22 19:51 ` David Miller
2007-08-23 1:29 ` Joy Latten
2007-08-23 3:05 ` David Miller
2007-08-23 17:15 ` Joy Latten [this message]
2007-08-23 20:07 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1187889310.15699.735.camel@faith.austin.ibm.com \
--to=latten@austin.ibm.com \
--cc=davem@davemloft.net \
--cc=linux-audit@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox