[RFC][PATCH] (#6) filesystem auditing
Timothy R. Chavez
tinytim at us.ibm.com
Tue Mar 15 16:28:01 UTC 2005
On Tuesday 15 March 2005 06:44 am, Stephen Smalley wrote:
> On Mon, 2005-03-14 at 17:14 -0600, Timothy R. Chavez wrote:
> > The hooks appear in:
> > fs/inode.c: destroy_inode(), alloc_inode()
> > fs/dcache.c: d_move(), d_delete(), __d_lookup()
> > fs/namei.c: permission(), exec_permission_lite(), may_delete()
> >
> > I think I've corrected the d_move() leakage by placing two hooks to
> > audit_watch() in d_move() that works on the source dentry and the target
> > dentry.
>
> What happened to your d_instantiate/d_splice_alias hooks?
Well it seems like I'm getting the coverage I need with just these three. The
association of a watch to the inode is lazy now. Also, I was trying to take
advantage of the locking around the hooks. I found that d_lock was a great
way of doing this with respect to protecting the audit_watch() hook from evil
audit_remove_watch() requests. I suppose, however, if these hooks are
essential, I could add them in under the protection of the dcache_lock in a
place such that the audit_remove_watch() shouldn't have access to them.
-tim
More information about the Linux-audit
mailing list