dev information for open, exec?
Stephen Smalley
sds at tycho.nsa.gov
Thu Feb 24 18:43:50 UTC 2005
On Tue, 2005-02-22 at 09:54 -0800, Chris Wright wrote:
> The dev value is actually rdev. So it's not bogus if you're accessing,
> for example, /dev/hda1. Reasonable question whether that's both
> intentional and sufficient. Given namespace possibilities, I assumed
> that dev/ino pair was dumped to uniquely identify the object.
Yes, this looks like a bug to me in the audit code, particularly as the
existing filter code lets you filter based on rdev and ino (whereas I'd
expect you would want to filter based on a specific object identified by
(dev,ino) pair). Should path_lookup() be passing nd->dentry->d_inode-
>i_sb->s_dev to audit_inode() instead?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list