[RFC][PATCH] (#2) Prelim in-kernel file system auditing support

[Casey Schaufler]

--- "Timothy R. Chavez" <chavezt at gmail.com> wrote:

 
> I'd appreciate any and all comments / feedback. 

Not bad. Couple of comments/questions:


> +	/* The root directory cannot be watched */
> +	if (!strcmp(path, "/")) {
> +		ret = -EPERM;
> +		goto audit_remove_watch_exit;

What are the implications regarding a chroot
environment? I can imagine (although it strikes
me as somewhat insane) an admin wanting to audit
everything that goes on in a chroot environment,
say for a honeypot. The watching would have to
be enabled from outside. Not a bad thing, but is
it what you want?

> +/* The structure that stores information about
files/directories being
> + * watched in the filesystem, that the syscall
accessed.
> + */
> +
> +struct audit_file {
> +	struct audit_watch *watch;
> +	struct list_head list;
> +	unsigned long ino;
> +	umode_t mode;
> +	uid_t uid;
> +	gid_t gid;
> +	dev_t rdev;
> +	int mask;
> +};

Where does one put the ACL, MAC label, and/or
capability set of the file? I may not be able
to go get it later, as it may change or worse,
the file might be gone by then.


=====
Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail