[RFC][PATCH] (#6 U1) the latest incarnation
Chris Wright
chrisw at osdl.org
Fri Mar 25 17:24:37 UTC 2005
* Stephen Smalley (sds at tycho.nsa.gov) wrote:
> On Fri, 2005-03-25 at 11:07 -0600, Timothy R. Chavez wrote:
> > I'm not entirely sure we should hook mknod or symlink. We're not making any
> > claims about the watchability of a device, or symlink with this code. Do you
> > agree?
>
> We are only talking about post hooks to generate audit messages via
> audit_notify_watch() if the inode has previously been marked by
> audit_attach_watch(). Given your other hooks, it should already be
> possible to audit reads and writes to device nodes (since a watch should
> be possible to attach using your existing hooks in
> d_instantiate/d_splice_alias and notifications should be generated using
> your hook in permission), so why not allow auditing of creates as well?
> Given that udev makes /dev dynamic, it seems like watches might be
> important there as well, eh?
I agree, I see no reason to exclude these. They're just inodes in the
filesystem.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list