path-based filesystem watch limitation
Amy Griffis
amy.griffis at hp.com
Thu Aug 18 16:31:37 UTC 2005
On Tue, Aug 16, 2005 at 05:19:06PM -0400, Steve Grubb wrote:
> In practice, though, it doesn't cause problems. I don't know of any
> trusted app that renames a directory and creates a new data file.
If we aren't trying to watch all path components, I don't understand
why we need the dcache hooks.
If we want to watch a particular dentry, it seems like watching its
parent's inode for filesystem events would suffice. An inode is
always held by the i_sem through the execution of any event-catching
hook. Thus we are able to add a watch for the inode appearing
at the watched location in time to catch any further events.
I've read through quite a bit of the archives for this list, and
haven't found the reason for the dcache hooks. Could someone comment
on this?
Thanks,
Amy
More information about the Linux-audit
mailing list