best way to audit in vfs
Timothy R. Chavez
chavezt at gmail.com
Tue Dec 14 20:00:24 UTC 2004
Hello,
I've been kind of thinking about this. Presumably, we want to audit
both failed and successful attempts in whatever vfs function we happen
to be in. For instance, if we fall out of vfs_mkdir because
may_create returned an error, we'd like to receive an audit message
that said something like, "filename=myfile syscall= mkdir()
error=<errno>.....", but, would I want to do this by hooking each
conditional statement? Is there a better approach? The only other
one I can think of would be to have one exit point in the functions
and audit right before we exit...
i.e.:
int vfs_create(struct inode *dir, struct dentry *dentry, int mode,
struct nameidata *nd)
{
int error = may_create(dir, dentry, nd);
if (error)
goto vfs_create_exit;
if (!dir->i_op || !dir->i_op->create) {
error = -EACCES;
goto vfs_create_exit;
}
mode &= S_IALLUGO;
mode |= S_IFREG;
error = security_inode_create(dir, dentry, mode);
if (error)
goto vfs_create_exit;
DQUOT_INIT(dir);
error = dir->i_op->create(dir, dentry, mode, nd);
if (!error) {
inode_dir_notify(dir, DN_CREATE);
security_inode_post_create(dir, dentry, mode);
}
vfs_create_exit:
audit_inode_create(dir, dentry, error, mode);
return error;
}
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list