-----Original Message-----
From: Casey Schaufler [mailto:casey@schaufler-ca.com]
Sent: Monday, August 19, 2019 4:52 PM
To: Roberto Sassu <roberto.sassu@huawei.com>; linux-
integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org; zohar@linux.ibm.com; Dmitry
Kasatkin [off-list ref]; Silviu Vlasceanu
[off-list ref]
Subject: Re: [WIP][RFC][PATCH 1/3] security: introduce call_int_hook_and()
macro

On 8/18/2019 4:57 PM, Roberto Sassu wrote:

quoted

The LSM hooks audit_rule_known() and audit_rule_match() define 1 as
result for successful operation. However, the security_ functions use
call_int_hook() which stops iterating over LSMs if the result is not
zero.

Introduce call_int_hook_and(), so that the final result returned by
the security_ functions is 1 if all LSMs return 1.

I don't think this is what you want. You want an audit record generated if
any of the security modules want one, not only if all of the security modules
want one.

Right, it would be better if I can specify the prefix of the LSM that should
execute the audit_rule_match() hook.

For example, I would like to specify in the IMA policy:

measure subj_type=infoflow:tcb

'infoflow:tcb' would be the value of the 'lsmrule' parameter of
security_audit_rule_match().

The rule would be evaluated only by Infoflow LSM, and not SELinux.

Roberto