[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Timothy R. Chavez
chavezt at gmail.com
Tue Jan 25 18:38:43 UTC 2005
On Tue, 25 Jan 2005 11:20:54 -0600, Serge E. Hallyn <serue at us.ibm.com> wrote:
> Tim,
>
> do you care about getting multiple entries in a single directory's
> watchlist for the same file?
I'v CCed the list so we don't get redundant comments :-) Yes, we do
care. This will leak memory. Here's why:
If we're in a race and we both get to the point of adding the watch to
the list because we've both seen that we're not in the list. Two
audit_struct watches have been created. If we remove a watch, one
will still exist. It might be odd, if say we were watching /tmp/foo,
said "stop watching /tmp/foo", deleted "/tmp/foo", recreated
"/tmp/foo" and started getting audit messages for "/tmp/foo" -- And at
least then we'll consume the memory. The alternative is that the
memory just gets forgotton.
So let me better protect the list. Should I simply include in the
critical section a test to make sure that I've not already been added?
>
> Ie two entries for /etc/shadow in /etc's watchlist?
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list