patch update to ~51
David Woodhouse
dwmw2 at infradead.org
Thu Jun 2 11:03:31 UTC 2005
On Wed, 2005-06-01 at 16:30 -0500, Timothy R. Chavez wrote:
> David and I have been working on ~51 and this patch reflects changes that we've both committed.
I'll build an audit.52 kernel with it -- I've split it back up into my
original abolish-wentry-2 patch and your additions, because my working
(well actually not working at all and not even compiling right now) tree
here is based on just the former and I'd like to be able to patch
against that.
> * Added proper error handling in fs/namei.c (I think ;-))
No likee. See separate mail.
> Two things left that I can think of:
> * Getting rid of blanket allocations of audit_inode_data
I have this half-done, as you saw in the half-complete patch I threw
over the wall last night
(http://david.woodhou.se/audit-abolish-wentry-4.patch)
Should hopefully have it working today and then will do an audit.53.
> * Allowing a _list_ of watches on a watched inode
> -> If the same inode is watched from multiple locations (or name spaces)
I think we definitely need this. Test case:
touch /tmp/fish1
ln /tmp/fish1 /tmp/fish2
auditctl -w /tmp/fish1
auditctl -w /tmp/fish2
cat /tmp/fish1 # (see watch trigger)
cat /tmp/fish2 # (see watch trigger)
mv /tmp/fish2 /tmp/fish3 # (see watch trigger)
cat /tmp/fish3 # (see watch _NOT_ trigger)
cat /tmp/fish1 # (see watch trigger)
cat /tmp/fish3 # (see watch trigger again)
> * Removal of local reader-writer locks on audit_inode_data?
> -> I'm not sure that this lock is needed any longer now that there's only
> two ways we can remove from a watchlist and neither will contend with
> the other.
>
> (1) explicit administrative action, no other administrative action can
> occur at the same time
> (2) audit_inode_data is being freed, inode is no longer reachable for
> administrative action
>
Yeah, that's probably OK, I think.
--
dwmw2
More information about the Linux-audit
mailing list