[RFC][PATCH] (#6 U1) the latest incarnation
Chris Wright
chrisw at osdl.org
Thu Mar 24 19:52:17 UTC 2005
* Stephen Smalley (sds at tycho.nsa.gov) wrote:
> On Thu, 2005-03-24 at 14:32 -0500, Stephen Smalley wrote:
> > Ok, I see what is happening. You call audit_attach_watch() from d_move,
> > but you will never hit an audit_notify_watch(), hence no audit data upon
> > renames until a subsequent write to the existing file (which never
> > happens for /etc/shadow, as it is always re-created and renamed for each
> > transaction). So a natural question is what else should be calling
> > audit_notify_watch besides permission, exec_permission_lite, and
> > may_delete? d_move? may_create?
>
> I suppose may_create() won't help you, as the child has a negative
> dentry at that point so you have no inode. You will have an inode upon
> the subsequent d_instantiate, but can't tell that you are dealing with a
> "just created" inode versus an already existing one, so you won't know
> that you need to notify of a create. So you are back to post-create
> style hooks for calling audit_notify_watch for file creations, right?
What was the problem with those, just hook proliferation?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list