[PATCH] lsm_audit: avoid overloading the "key" audit field
paul at paul-moore.com
Mon Sep 20 02:49:13 UTC 2021
On Tue, Sep 14, 2021 at 10:49 AM Paul Moore <paul at paul-moore.com> wrote:
> On Tue, Sep 14, 2021 at 9:15 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> > The "key" field is used to associate records with the rule that
> > triggered them, os it's not a good idea to overload it with an
> > additional IPC key semantic. Moreover, as the classic "key" field is a
> > text field, while the IPC key is numeric, AVC records containing the IPC
> > key info actually confuse audit userspace, which tries to interpret the
> > number as a hex-encoded string, thus showing garbage for example in the
> > ausearch "interpret" output mode.
> > Hence, change it to "ipc_key" to fix both issues and also make the
> > meaning of this field more clear.
> > Signed-off-by: Ondrej Mosnacek <omosnace at redhat.com>
> > ---
> > security/lsm_audit.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> Seems reasonable to me, I can merge it via the audit/next tree unless
> James would prefer to take it via the LSM tree.
As this is pretty minor and unlikely to conflict with any LSMs, I've
gone ahead and merged this into the audit/next tree.
More information about the Linux-security-module-archive