[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 25 18:16:16 UTC 2005
On Fri, 2005-03-25 at 10:46 -0600, Timothy R. Chavez wrote:
> I've kind of struggled with this one and am was a bit reluctant to add it.
> Perhaps my logic is right, bu there's a better placement. The reason why the
> hook was placed in __d_lookup() was to auto-update a hardlink with the
> correct watch. The only way a hardlink will generate audit records is if
> it's inode is being watched and the only way the inode can be watched is if
> one of it's dentry's is at a watch point. So, take this scenario for example
> -- this is how we should currently perform:
Are you also relying on the __d_lookup() hook to properly update/clear
i_audit->wentry fields for inodes already in the dcache for removed
watches (i.e. after an auditctl -W /tmp/foo, the subsequent
audit_attach_watch call by __d_lookup is what will reset the i_audit
field for /tmp/foo)?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list