[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
David Woodhouse
dwmw2 at infradead.org
Tue Jan 25 21:37:03 UTC 2005
On Tue, 2005-01-25 at 15:25 -0600, Timothy R. Chavez wrote:
> Can you ellaborate on why you think namespaces are an issue? I'm
> having a hard time understanding why this would be any more of a
> problem then any other intentional subversion of the audit subsystem
> by the administrator (where administrator == root). Perhaps there is
> a way for a user process to subvert the audit subsystem using
> namespace trickory?
I'm not sure it's a _problem_ but I just wanted to make sure you bear it
in mind.
> If the root user issues a "watch /etc/passwd" it will resolve to the
> inode for passwd in the given namespace. Any accesses on that inode,
> in that namespace (presumably the only access we care about), by an
> audited syscall will be noted and sent to userspace. Isn't that
> sufficient?
Possibly; as long as the owner of the namespace can't mount the file
system containing it elsewhere, or 'mount --bind /etc /tmp/x' and get
round the watch. Your method of attaching to the dentry looks like it
works correctly in that case, but again I wanted to be sure it's by
design, and it stays that way.
--
dwmw2
More information about the Linux-audit
mailing list