[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 25 17:39:26 UTC 2005
On Fri, 2005-03-25 at 12:25 -0500, Stephen Smalley wrote:
> > # We get a record for "foo"
> > cat /tmp/bar
> > rm /tmp/foo
> > # __d_lookup() does its magic and we get a record for "bar"
> > cat /tmp/bar
>
> Wait. We are still dealing with the same inode at this point. Why was
> its i_audit field changed by the delete if there are other hard links
> present? Don't we want to preserve auditing on the inode in such a
> case, irrespective of whether /tmp/bar had a watch or not, just because
> of the original watch on /tmp/foo?
Ok, I guess not, as the inode will eventually become "unwatched" anyway
if it is evicted and then re-looked up as /tmp/bar or if the system
reboots. The particular scenario seems a bit contrived, but the more
general case you mention later (file has multiple hard links, all with
watches defined a priori, the inode picks up the watch for whatever name
is used first to access it, and then that link is deleted) does seem
like a legitimate concern, as you don't want to lose auditing for
accessing the inode via the other links at that point.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list