[RFC][PATCH] (#6 U1) the latest incarnation

Timothy R. Chavez tinytim at us.ibm.com
Fri Mar 25 16:46:29 UTC 2005 

On Friday 25 March 2005 07:28 am, Stephen Smalley wrote:
> On Fri, 2005-03-25 at 08:04 -0500, Stephen Smalley wrote:
> > With regard to additional hook placement for audit_notify_watch, I think
> > you likely do want to mirror the security*_post* hooks for file creation
> > (create, mkdir, mknod, symlink), rename, and link with
> > audit_notify_watch calls to perform notifications of such events.  Then
> > you keep audit_attach_watch calls in the dcache routines to manage the
> > i_audit fields and avoid races.  However, I think you need to check
> > whether you truly need all of the current hook placements in the dcache
> > routines or whether some of them are duplicative on the same code path,
> > e.g. do you need both __d_lookup and d_instantiate/d_splice_alias
> > hooked?
>
> I don't see what the __d_lookup hook buys you, can you explain?  The
> d_instantiate and d_splice_alias hooks ensure that you attach watches to
> inodes when they are looked up or created before they can be accessed by
> another thread via the dcache (since you call the hook before releasing
> the dcache lock).  What do you need the __d_lookup hook for?

Hello,

I've kind of struggled with this one and am was a bit reluctant to add it.  
Perhaps my logic is right, bu there's a better placement.  The reason why the 
hook was placed in __d_lookup() was to auto-update a hardlink with the 
correct watch.  The only way a hardlink will generate audit records is if 
it's inode is being watched and the only way the inode can be watched is if 
one of it's dentry's is at a watch point.  So, take this scenario for example 
-- this is how we should currently perform:

watch /tmp/foo
# We get a record for "foo"
cat /tmp/foo
ln /tmp/foo /tmp/bar
watch /tmp/bar
# We get a record for "foo"
cat /tmp/bar
rm /tmp/foo
# __d_lookup() does its magic and we get a record for "bar"
cat /tmp/bar

This might be a completely assanine case now....

If /tmp/bar has a "natural" watch (ie: there's a watch on /tmp for "bar"), 
and /tmp/bar is a hardlink to /tmp/foo, then if /tmp/foo left (it was the 
dentry for the inode that was fufilling the watch criteria), then the inode 
would lose its "foo" watch and /tmp/bar would be watchless.  But /tmp/bar is 
being watched!  So we use __d_lookup() to automatically detect whether or not 
there is a "natural" watch in its current path that it can attach too.  This 
could get a little more interesting if there are N hardlinks to /tmp/foo 
which are all being watched.  Then, any of the /tmp/XN's could claim the 
inode and attach their watch -- it depends on what /tmp/XN calls the 
audiit_attach_watch() first.

Comments? Opinions?

-tim

More information about the Linux-audit mailing list