[RFC][PATCH] (#4) auditfs
Stephen Smalley
sds at epoch.ncsc.mil
Tue Feb 22 18:53:05 UTC 2005
On Tue, 2005-02-22 at 10:42 -0600, Timothy R. Chavez wrote:
> - Hooks in vfs_read/write/unlink (please look closely here). The rule
> of thumb I went off of is: I can call my hook iff I have an inode and
> I'm NOT hooking lookup_hash *nudge Stephen* :)
<snip>
> Three hooks for dynamically assigning watches:
> d_splice_alias, d_move, d_instantiate
>
> Five hooks for dynamically adding watches to our context:
> permission, exec_permission_lite, vfs_read, vfs_write, vfs_unlink
Why do you hook vfs_read/vfs_write when you have a hook in permission?
If you are trying to audit actual reads and writes, then there are other
cases to consider, e.g. do_sendfile(), plus fun with AIO. Much easier
if you can just stay with auditing open(2) calls via your permission(9)
hook.
There is a known race with respect to d_instantiate and file creation,
but it needs to be resolved anyway for SELinux, so I think you can
proceed under the assumption that it will be fixed. Alternatively, you
would need to move your hook call prior to the setting of d_inode in the
dentry and pass in the inode separately to your hook.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list