[RFC][PATCH 1/2] file system auditing (#6U3)
Timothy R. Chavez
tinytim at us.ibm.com
Mon Apr 4 16:43:42 UTC 2005
On Monday 04 April 2005 10:57 am, Stephen Smalley wrote:
> On Mon, 2005-04-04 at 10:34 -0500, Timothy R. Chavez wrote:
> > [PATCH 1/2]
> > The first patch consists of the file system hooks. Brief explanations of
> > hook placement and purpose are provided. Terminology, such as "watch"
> > and "watch point", are defined in the next message.
>
> Should note that this patch and explanation is included at the end of
> this message. "next message" is possibly confusing; possibly clarify
> with "second patch".
Good point.
> > Deletion:
> >
> > may_delete() [vfs_unlink()/rmdir()]:
> > Notify the audit subsystem when an object successfully leaves a "watch
> > point". The hook appears in may_delete() after we have determined the
> > victim dentry has an inode.
>
> This is more akin to permission, i.e. notify when checking permissions
> to delete a file. The text above suggests that the object has already
> been deleted, which is not yet true.
Good point.
> > @@ -1557,6 +1564,7 @@ int vfs_mknod(struct inode *dir, struct
> > DQUOT_INIT(dir);
> > error = dir->i_op->mknod(dir, dentry, mode, dev);
> > if (!error) {
> > + audit_notify_watch(dentry->d_inode, MAY_WRITE|MAY_EXEC);
> > inode_dir_notify(dir, DN_CREATE);
> > security_inode_post_mknod(dir, dentry, mode, dev);
> > }
>
> Looks like you forgot to reduce this one to just MAY_WRITE
Oops, I changed this, but forgot to diff a patch. I'll do this right now.
Thanks for looking.
I think I should also mention where to get the userspace tool.
--
-tim
More information about the Linux-audit
mailing list