[RFC][PATCH] (#7U4) file system auditing by location and name

Steve Grubb sgrubb at redhat.com
Sat May 7 13:44:04 UTC 2005 

On Friday 06 May 2005 17:16, Timothy R. Chavez wrote:
> This patch is against 12-rc3-mm3 and incorporates feedback I received on
> #7U3 and does not include fixes based on Viro feedback (I'll be working
> on this over the weekend).

I installed the .31 kernel. I then ran:

auditctl -w /etc/passwd -k fk_passwd -p rwea

I got this:

May  7 09:35:02 localhost kernel: CPU:    0
May  7 09:35:02 localhost kernel: EIP:    0060:[<c014baf7>]    Not tainted VLI
May  7 09:35:02 localhost kernel: EFLAGS: 00210046   (2.6.9-5.0.3.EL.audit.31)
May  7 09:35:02 localhost kernel: EIP is at kmem_cache_alloc+0x25/0x4c
May  7 09:35:02 localhost kernel: eax: 00000080   ebx: 000000d0   ecx: 
00000000
  edx: e273a000
May  7 09:35:02 localhost kernel: esi: 00200246   edi: 00000000   ebp: 
ed99e410
  esp: e273ac04
May  7 09:35:02 localhost kernel: ds: 007b   es: 007b   ss: 0068
May  7 09:35:02 localhost kernel: Process auditctl (pid: 9301, 
threadinfo=e273a000 task=e8aec880)
May  7 09:35:02 localhost kernel: Stack: ffffffea 000003ef ea4f6e00 c0141a69 
ffffffea 000003ef ea4f6e00 000010e5
May  7 09:35:02 localhost kernel:        c01421a5 00000007 00000000 f084b332 
ef08d764 00000001 d14995cc 000001bb
May  7 09:35:02 localhost kernel:        eef3355c eef3355c eef3355c eef3355c 
00800000 c01c00f2 00000000 000001bb
May  7 09:35:02 localhost kernel: Call Trace:
May  7 09:35:02 localhost kernel:  [<c0141a69>] audit_to_watch+0x15/0xc0
May  7 09:35:02 localhost kernel:  [<c01421a5>] audit_receive_watch+0x3e/0x309
May  7 09:35:02 localhost kernel:  [<f084b332>] 
__journal_file_buffer+0x10f/0x1e8 [jbd]
May  7 09:35:02 localhost kernel:  [<c01c00f2>] avc_has_perm_noaudit+0x8d/0xda
May  7 09:35:02 localhost kernel:  [<f084b332>] 
__journal_file_buffer+0x10f/0x1e8 [jbd]
May  7 09:35:02 localhost kernel:  [<c01c017a>] avc_has_perm+0x3b/0x45
May  7 09:35:02 localhost kernel:  [<c013f66f>] audit_receive_msg+0x238/0x25c
May  7 09:35:02 localhost kernel:  [<c013f6c5>] audit_receive_skb+0x32/0x70
May  7 09:35:02 localhost kernel:  [<c013f72b>] audit_receive+0x28/0x7d
May  7 09:35:02 localhost kernel:  [<c02bc636>] netlink_data_ready+0x14/0x43
May  7 09:35:02 localhost kernel:  [<c02bbd35>] netlink_sendskb+0x52/0x6b
May  7 09:35:02 localhost kernel:  [<c02bc452>] netlink_sendmsg+0x267/0x276
May  7 09:35:02 localhost kernel:  [<c029eb3b>] sock_sendmsg+0xdb/0xf7
May  7 09:35:02 localhost kernel:  [<c0147179>] buffered_rmqueue+0x1c4/0x1e7
May  7 09:35:02 localhost kernel:  [<c0147250>] __alloc_pages+0xb4/0x298
May  7 09:35:02 localhost kernel:  [<c015321d>] do_anonymous_page+0x215/0x27f
May  7 09:35:02 localhost kernel:  [<c011d04b>] 
autoremove_wake_function+0x0/0x2d
May  7 09:35:02 localhost kernel:  [<c029fe4b>] sys_sendto+0xc7/0xe2
May  7 09:35:02 localhost kernel:  [<c01193e9>] do_page_fault+0x1ac/0x4dc
May  7 09:35:02 localhost kernel:  [<c029e8b6>] sock_map_file+0x98/0x106
May  7 09:35:03 localhost kernel:  [<c01547e3>] __vma_link+0x59/0x66
May  7 09:35:03 localhost kernel:  [<c01548d1>] vma_link+0xe1/0x1dd
May  7 09:35:03 localhost kernel:  [<c02a0644>] sys_socketcall+0x14c/0x1dd
May  7 09:35:03 localhost kernel:  [<c030336f>] syscall_call+0x7/0xb
May  7 09:35:03 localhost kernel: Code: 5d e9 6e eb 08 00 57 f6 c2 10 89 c7 56 
53 89 d3 74 16 31 c9 ba 0f 08 00 00 b8 f4 3f 31 c0 e8 cc 0e fd ff e8 36 60 1b 
00
9c 5e fa <8b> 17 8b 02 85 c0 74 10 c7 42 0c 01 00 00 00 48 89 02 8b 44 82


At this point, I would recommend that we fix this patch without any updates to 
re-mediate problems Al Viro found. I was planning to release 0.7.4 as soon as 
I can successfully test that we can insert, remove, and list watches.

-Steve

More information about the Linux-audit mailing list