path-based filesystem watch limitation

Timothy R. Chavez tinytim at us.ibm.com
Tue Aug 16 21:18:00 UTC 2005 

On Tuesday 16 August 2005 16:09, Timothy R. Chavez wrote:
> On Tuesday 16 August 2005 11:52, Amy Griffis wrote:
> > Hello,
> > 
> > I've been taking a look at the auditfs code in U2, and I've noticed an
> > issue with the path-based watching.  In U2, the path-based watching
> > code only keeps tabs on the parent of given user watch, instead of
> > watching the entire path back to the filesystem root.
> > 
> > This means that if a path component beyond the user watch's parent
> > changes, the recreation of the object at the watched path will not be
> > caught.  Any subsequent events on the object at the watched path will
> > also not be caught.
> > 
> > For example:
> > 
> > # auditctl -w /one/two/three/four
> > # mkdir -p /one/two/three
> > # :> /one/two/three/four
> > # echo "hello world" > /one/two/three/four
> > 
> > <audit records generated>
> > 
> > # mv /one/two /one/too
> > # mkdir -p /one/two/three
> > # :> /one/two/three/four
> > # echo "hello world" > /one/two/three/four
> > 
> > <no audit records generated>
> > 
> > Is this a known limitation?
> 
> It is known.  In a CAPP environment, this sort of trickery will not come up.
> To do what you want to do, the logic would get extremely complicated and
> perhaps one day it'll be doable (upstream).  Because we're storing the
> information _in_ the file system we're limited on how much state we can
> keep.
> 
> The original way we had planned on doing the logic was frowned upon
> because it required a persisent (and potentially sizeable) map of a file
> system depicting where all the watched locations are (and I believe
> there were some namespace issues as well).  This way each component
> of the watched path in the actual file system could be mapped all the way
> up to the root directory.

Er... and provide a mechanism to keep state such that a watched location
is always watched when it exists regardless of any "inbetween" activity
that breaks the watched path and then reconstructs it.

-tim

> 
> -tim
> 
> > 
> > Amy
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > http://www.redhat.com/mailman/listinfo/linux-audit
> > 
> > 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
> 
>

More information about the Linux-audit mailing list