[RFC][PATCH] (#4) auditfs
Stephen Smalley
sds at tycho.nsa.gov
Tue Feb 22 20:07:59 UTC 2005
On Tue, 2005-02-22 at 10:42 -0600, Timothy R. Chavez wrote:
> Three hooks for dynamically assigning watches:
> d_splice_alias, d_move, d_instantiate
>
> Five hooks for dynamically adding watches to our context:
> permission, exec_permission_lite, vfs_read, vfs_write, vfs_unlink
I'm a little unclear on what the hook call in vfs_unlink is buying you
if it is only passing the dir (not the dentry). vfs_unlink already
calls may_delete() and ultimately passes the dir to a permission() call
to check write and search access to the parent directory, so your hook
in permission() will cover the attempt to access it. Don't you want to
pass the dentry here instead? And won't there be similar issues for
vfs_rmdir?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list