audit 0.7.4 released
Timothy R. Chavez
tinytim at us.ibm.com
Mon May 9 15:29:38 UTC 2005
On Mon, 2005-05-09 at 11:17 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 09 May 2005 10:10:01 CDT, "Timothy R. Chavez" said:
>
> > I've removed the path_lookup from the audit_to_transport code block.
> > Perhaps, we can attempt to find the path via user space once the watch
> > is returned (with path), rather then doing it in the kernel. Then user
> > space can set the w_valid field.
>
> This sounds incredibly racy to me, especially in the cases we care about
> (like the re-writing of /etc/passwd by creating a tempfile and renaming it).
Not sure if it really matters in the case I'm talking about We're just
getting a list of all the watches in the file system with the paths that
were used to insert them. As we get our reply, we're still holding the
audit_netlink_sem, so there's no chance of external removal of watches.
There is a chance that while we list watches, we move a directory that
has an 'active' watchlist (which destroys all the watches). However, I
really don't think, even this case trully matters.
The list feature can only give us a "snapshot in time" anyway. It
shouldn't be gospel.
-tim
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list