close(2) not being audited?
Alexander Viro
aviro at redhat.com
Fri Jan 26 23:29:10 UTC 2007
On Fri, Jan 26, 2007 at 05:01:12PM -0600, Timothy R. Chavez wrote:
> > What do you want in the log? More specifically, _when_ do you want it?
>
> Write out a log when the last reference to the fd is put back... whether
> that's from a close or an munmap.
BTW... Consider the following: threads A and B share descriptor table.
Their stdin is a terminal.
Apr 1: thread A calls read(0, buf, 512);
Apr 2: thread B does close(0);
May 1: user hits enter
After Apr 2 we'll have descriptor 0 closed. Thread A is still sitting in
read() and it couldn't care less about descriptors. The file is still
opened, even though all descriptors are gone.
On May 1 read() in thread A finally completes. Upon exit from read()
we give up a reference to file, so it finally gets closed.
IOW, you'll get "it's been closed by read(2)" in logs. The same
may apply to any system call doing file IO. So userland would better
not assume that something recognizable is doing that...
More information about the Linux-audit
mailing list