On 8/10/21 6:52 AM, J Freyensee wrote:
[snip]

quoted

Have you considered writing to the audit log instead of the kernel messages directly?
(not saying that this is necessarily better, but is there a reasoning to prefer one or
the other here? Audit logs are often consumed by automated tools and it may be more pratical
for people to detect and treat violations if the messages were pushed to the audit log
- but conversely, that requires defining and maintaining a stable log format for consumers)

It's a good idea to writing to the audit log, HOWEVER I'd want to know
what all the rest of the LSMs are doing in a case like this. If all of
them just write kernel messages, I'd want this module to also write just
kernel messages for consistency sake for use with say, log harvesters
for a SIEM/XDR system solution.

Right, after taking a quick look through the SafeSetID, YAMA and the future BRUTE
LSM, it looks like they all use pr_warn/pr_notice. Only the MACs seem to make use of
the audit log, so you can forget what I said about writing to the audit log, this
shouldn't be necessary, and is probably a bad idea for consistency, as Jay said.

Simon

Just in general I like the thought of this LSM.  I used to work for a
security company in which their cloud "watched" situations where
mmap()/mprotect() would use anonymous executable pages for possible
"dodgy" behavior.

Jay