best way to audit in vfs

Klaus Weidner klaus at atsec.com
Tue Dec 14 21:07:27 UTC 2004 

On Tue, Dec 14, 2004 at 08:54:27PM +0000, Timothy R. Chavez wrote:
>  > - while system call is executing, additional information is collected
> >   based on the data copied from userspace by the syscall. In the case of
> >   filesystem operation, this would be the audit attribute associated with
> >   the inode being worked on.
> 
> This might be a little insane, that is, from the current syscall
> audit, to figure out "the inode being worked on."  In ptrace there is
> an audit_syscall_enter hook and audit_syscall_exit hook.  In neither
> hook is there a reasonable way to discover the inode associated with
> the syscall argument.  This is why I think its easiest to do the
> logging in the VFS for this portion of the record, at least... At this
> point, we have a dentry associated with an inode (the inode we're
> interested in), to work with.

But the existing audit code already does this, look at audit_getname()
and audit_inode() in kernel/auditsc.c, which get called from
fs/namei.c:getname() and fs/namei.c:path_lookup() respectively.

The VFS code knows all about the inode, and the audit context is
available in the current process context.

> > - when the system call is complete, the filter rules are applied to the
> >   available data (including the additional info), and an audit record
> >   is generated and sent to userspace.
> 
> In my way, this wouldn't work to well because the syscall could be
> filtered away and the VFS portion would be in userland waiting...

But that's insane from a filtering point of view ;-)

If you tell audit to only make records for operations on certain files,
you don't want syscall entry and intermediate records being sent to
userspace for all open() operations where the necessary data wasn't
available yet. I think that implies that you need to first collect data
in the kernel until you know if userspace will be interested.

Sending multiple partial audit records for every syscall to userspace and
then having auditd do all the filtering would most likely have pathetic
performance.

-Klaus

More information about the Linux-audit mailing list