[RFC][PATCH 0/2] (#6 U2) filesystem auditing
Timothy R. Chavez
tinytim at us.ibm.com
Tue Mar 29 18:46:10 UTC 2005
On Tuesday 29 March 2005 10:16 am, Stephen Smalley wrote:
> > Deletion:
> > The d_delete() hook is used to drain watchlists and detach from a
> > "watch". We've effectively left the "watch".
>
> It occurs to me that this may be the wrong place for this hook. Note
> that if any other thread is still using the dentry, d_delete only
> unhashes the dentry and defers actual deletion until it has no users.
> So if you always detach at this point, you could lose audit information
> for other users. Looks like you might need to do this in dentry_iput()
> instead, where you truly release the dentry's inode.
>
Ah, thanks. This is a really good point. I'll rework something today with
the feedback I've been given thus far and try to release this afternoon. I'm
going to have to revise the exposition tonight at home and submit to this
list mid-morning tommorow.
-tim
More information about the Linux-audit
mailing list