two sets of fs_watch/fs_inode messages?
Timothy R. Chavez
tinytim at us.ibm.com
Wed Aug 10 21:57:51 UTC 2005
On Wednesday 10 August 2005 16:50, Timothy R. Chavez wrote:
> On Wednesday 10 August 2005 15:14, Linda Knippers wrote:
> >
> > >>I'm running the sample CAPP rules with the .87 kernel and 1.0.1
> > >>audit tools. I'm seeing duplicate watch/inode messages sometimes.
> > >
> > > Did this happen in previous kernels? .85 or .80 for example.
> >
> > I just tried .77 and .81 (what I had handy on my system) and it does the
> > same on both of those.
> Hi,
>
> I haven't been able to spend any time on this issue, but I don't necessarily
> consider it a critical issue or anything that needs immediate attention.
With
> the new fswatch framework and auditfs piece the first half of this problem
is
> addressed and the second half does not [yet] exist.
>
> What needs to happen and does happen in the new framework is that the
> aux linked-list on the audit_context is walked and checked for the FS_INODE.
> If it exists, the watch is added to that FS_INODE, otherwise a new FS_INODE
> on the aux list and the watch is added to it. This effectively consolidates
> all watches to one corresponding FS_INODE entry.
>
> Now, the second half of the problem, reporting identical FS_WATCHes is non-
> existant in the new audit framework currently due to the "fsnotify"-like
> hooks.
I should definately correct myself... When I wrote "new audit framework" I
really meant the "new 'watchfs' framework". And my apologies on the weird
pseudo run-on sentence :) *cough*
-tim
> What we're seeing now is the same hook being hit multiple times in
> the same code path because this system was designed around hook
> consolidation. This might become a problem if we add an "fsnotify"-like
hook
> to critical functions like permission() which might be called multiple times
> in the same code path (hooking this function might not even be needed
> though). In the event that we do introduce the possibility of duplication,
> the record should probably be discarded. This could be kind of expensive
> having to first walk the aux list and then walk the FS_INODE's watch list
> comparing fields.
>
> -tim
>
>
>
> >
> > -- ljk
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > http://www.redhat.com/mailman/listinfo/linux-audit
> >
> >
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
>
More information about the Linux-audit
mailing list