path-based filesystem watch limitation
Timothy R. Chavez
tinytim at us.ibm.com
Thu Aug 18 17:10:28 UTC 2005
On Thursday 18 August 2005 11:31, Amy Griffis wrote:
> On Tue, Aug 16, 2005 at 05:19:06PM -0400, Steve Grubb wrote:
> > In practice, though, it doesn't cause problems. I don't know of any
> > trusted app that renames a directory and creates a new data file.
>
> If we aren't trying to watch all path components, I don't understand
> why we need the dcache hooks.
The dcache hooks are used to manage the watches after they've been
created. So let's say you've said,
watch /etc/shadow
When you then later decide to do,
passwd
During the execution of 'passwd', /etc/shadow will momentarily cease to exist.
When /etc/shadow comes back, it'll be a new inode. We must then update that
inode with the necessary watch information. Thus, the watch point,
"/etc/shadow" is preserved.
Using the same 'passwd' execution, we might also consider this scenario,
watch /etc/nshadow
During the execution of 'passwd', /etc/shadow will be renamed to "nshadow".
If we have watched /etc/nshadow, then when the rename occurs, we add
the to the inode under /etc/nshadow, and thus, it becomes auditable.t
In this light, the feature does a decent job at auditing well-defined (and
hopefully security critical) locations and names.
>
> If we want to watch a particular dentry, it seems like watching its
> parent's inode for filesystem events would suffice.
We must rely both on the dentry and the inode. We're really watching the
inode, but the way we discover this inode, is through its dentry. So even if
this were the approach we took, it'd still need to use the dcache right?
> An inode is
> always held by the i_sem through the execution of any event-catching
> hook. Thus we are able to add a watch for the inode appearing
> at the watched location in time to catch any further events.
>
> I've read through quite a bit of the archives for this list, and
> haven't found the reason for the dcache hooks. Could someone comment
> on this?
Hope this helps.
-tim
>
> Thanks,
> Amy
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
>
More information about the Linux-audit
mailing list