[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 25 13:04:28 UTC 2005
On Thu, 2005-03-24 at 14:48 -0600, Timothy R. Chavez wrote:
> static inline int may_delete(struct inode *dir,struct dentry *victim, int
> isdir)
> {
> ....
> audit_notify_watch(victim->d_inode, 0);
> ....
> }
This brings up another issue I wanted to discuss - whether the watch
mask should be more general than rwea, e.g. should it be possible to
specify that I want to see "rename", "link", "unlink", etc. with
specific mask values for each of these operations. At that point, you
would be passing your own set of mask values to audit_notify_watch (with
a translation table for the normal permission mask).
Alternatively, you could just view "rename", "link", and "unlink" as
another form of write, so you could pass MAY_WRITE here.
With regard to additional hook placement for audit_notify_watch, I think
you likely do want to mirror the security*_post* hooks for file creation
(create, mkdir, mknod, symlink), rename, and link with
audit_notify_watch calls to perform notifications of such events. Then
you keep audit_attach_watch calls in the dcache routines to manage the
i_audit fields and avoid races. However, I think you need to check
whether you truly need all of the current hook placements in the dcache
routines or whether some of them are duplicative on the same code path,
e.g. do you need both __d_lookup and d_instantiate/d_splice_alias
hooked?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list