[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 24 19:48:32 UTC 2005
On Thu, 2005-03-24 at 11:52 -0800, Chris Wright wrote:
> > I suppose may_create() won't help you, as the child has a negative
> > dentry at that point so you have no inode. You will have an inode upon
> > the subsequent d_instantiate, but can't tell that you are dealing with a
> > "just created" inode versus an already existing one, so you won't know
> > that you need to notify of a create. So you are back to post-create
> > style hooks for calling audit_notify_watch for file creations, right?
>
> What was the problem with those, just hook proliferation?
I think that they are ok for notification (audit_notify_watch calls),
but they aren't safe for attaching watches (audit_attach_watch calls),
because the inode can be accessed via the dcache by another thread
before the post-create hooks run. Hence, he still wants to keep hooks
for attaching watches in places like d_instantiate, but the notification
hooks can occur later in the processing, like the dnotify hooks.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list