[RFC][PATCH] (#6) filesystem auditing
Stephen Smalley
sds at tycho.nsa.gov
Tue Mar 15 21:01:16 UTC 2005
On Tue, 2005-03-15 at 15:48 -0500, Stephen Smalley wrote:
> Hmmm...how is this supposed to work? audit_log_exit() isn't called
> unless context->auditable is set. Should audit_notify_watch() be
> setting context->auditable when adding a file to the wtrail so that it
> will be processed upon syscall exit? Otherwise, you need some other
> filter to enable the auditable flag separate from your watch, right?
Note btw that since SELinux does immediate generation of audit messages
via audit_log* from its hooks, this automatically enables the auditable
flag (since audit_log_start calls audit_get_stamp, and audit_get_stamp
enables the auditable flag). That is why further audit records are
written at syscall exit whenever SELinux emits an audit message from a
hook. But in your case, as you are just adding data to a list from your
hook, you need to separately enable the auditable flag in some manner.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list