From: Eric Paris <eparis@parisplace.org>
To: Joy Latten <latten@austin.ibm.com>
Cc: James Morris <jmorris@namei.org>,
David Miller <davem@davemloft.net>,
selinux@tycho.nsa.gov, netdev@vger.kernel.org,
vyekkirala@TrustedCS.com
Subject: Re: [PATCH]: Add security check before flushing SAD/SPD
Date: Fri, 23 Mar 2007 12:59:15 -0400 [thread overview]
Message-ID: <1174669155.10788.60.camel@localhost.localdomain> (raw)
In-Reply-To: <1174667591.3085.308.camel@faith.austin.ibm.com>
On Fri, 2007-03-23 at 10:33 -0600, Joy Latten wrote:
> On Fri, 2007-03-23 at 01:39 -0400, Eric Paris wrote:
>
> >
> > In either case though proper auditing needs to be addressed. I see that
> > the first patch from Joy wouldn't audit deletion failures. It appears
> > to me if the check is done per policy then the security hook return code
> > needs to be recorded and passed to xfrm_audit_log instead of the hard
> > coded 1 result used now.
> >
> > Assuming we go with James's double loop what should we be auditing for a
> > security hook denial? Just audit the first policy entry which we tried
> > to remove but couldn't and then leave the rest of the auditing in those
> > functions the way it is now in case there was no denial, calling
> > xfrm_audit_log with a hard coded 1 for the result?
> >
> Actually, I thought the original intent of the ipsec auditing was to
> just audit changes made to the SAD/SPD databases, not securiy hook
> denials, right?
Then what is the point of the 'result' field that we capture and log in
xfrm_audit_log if the only things you care to audit are successful
changes to the databases?
-Eric
next prev parent reply other threads:[~2007-03-23 17:03 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-22 18:35 [PATCH]: Add security check before flushing SAD/SPD Joy Latten
2007-03-22 19:01 ` David Miller
2007-03-22 21:23 ` Joy Latten
2007-03-22 23:49 ` James Morris
2007-03-22 23:50 ` Joy Latten
2007-03-23 0:56 ` James Morris
2007-03-23 5:39 ` Eric Paris
2007-03-23 6:22 ` David Miller
2007-03-23 16:33 ` Joy Latten
2007-03-23 16:59 ` Eric Paris [this message]
2007-03-23 18:50 ` Joy Latten
2007-03-23 18:46 ` James Morris
2007-03-23 18:47 ` David Miller
2007-03-23 18:50 ` Eric Paris
-- strict thread matches above, loose matches on Subject: below --
2007-03-26 19:39 Joy Latten
2007-03-26 20:05 ` James Morris
2007-03-26 20:14 ` James Morris
2007-03-26 20:34 ` Eric Paris
2007-03-26 22:58 Joy Latten
2007-03-26 23:21 Joy Latten
2007-03-27 3:08 ` James Morris
2007-06-04 19:05 ` Eric Paris
2007-06-04 19:44 ` James Morris
2007-06-04 23:13 ` James Morris
2007-06-04 23:55 ` David Miller
2007-06-05 17:56 ` Joy Latten
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1174669155.10788.60.camel@localhost.localdomain \
--to=eparis@parisplace.org \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=latten@austin.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).