path-based filesystem watch limitation
Stephen Smalley
sds at tycho.nsa.gov
Thu Aug 18 17:35:18 UTC 2005
On Thu, 2005-08-18 at 12:31 -0400, Amy Griffis wrote:
> If we aren't trying to watch all path components, I don't understand
> why we need the dcache hooks.
>
> If we want to watch a particular dentry, it seems like watching its
> parent's inode for filesystem events would suffice. An inode is
> always held by the i_sem through the execution of any event-catching
> hook. Thus we are able to add a watch for the inode appearing
> at the watched location in time to catch any further events.
>
> I've read through quite a bit of the archives for this list, and
> haven't found the reason for the dcache hooks. Could someone comment
> on this?
To ensure that the audit state of the inode is set up properly before it
becomes accessible to another thread via the dcache (via __d_lookup).
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list