path-based filesystem watch limitation
Amy Griffis
amy.griffis at hp.com
Thu Aug 18 22:51:07 UTC 2005
Stephen Smalley wrote: [Thu Aug 18 2005, 01:35:18PM EDT]
> On Thu, 2005-08-18 at 12:31 -0400, Amy Griffis wrote:
> > If we aren't trying to watch all path components, I don't understand
> > why we need the dcache hooks.
> >
> > If we want to watch a particular dentry, it seems like watching its
> > parent's inode for filesystem events would suffice. An inode is
> > always held by the i_sem through the execution of any event-catching
> > hook. Thus we are able to add a watch for the inode appearing
> > at the watched location in time to catch any further events.
> >
> > I've read through quite a bit of the archives for this list, and
> > haven't found the reason for the dcache hooks. Could someone comment
> > on this?
>
> To ensure that the audit state of the inode is set up properly before it
> becomes accessible to another thread via the dcache (via __d_lookup).
Thanks, I see the potential race now.
More information about the Linux-audit
mailing list