close(2) not being audited?
James Antill
jantill at redhat.com
Sun Jan 28 21:40:56 UTC 2007
On Fri, 2007-01-26 at 17:46 -0600, Timothy R. Chavez wrote:
> Yep, I was referring to last reference to opened file.
>
> I'd hate to suggest adding a field to the file like "opened_as" which would
> store the original fd it was assigned, but that would be enough to associate
> the open() record and the final "close" record.
fd1 = open(...);
ptr1 = mmap(fd1, ...);
close(fd1);
fd2 = open(...);
assert(fd1 == fd2);
ptr2 = mmap(fd2, ...);
close(fd2);
munmap(ptr1, ...);
munmap(ptr2, ...);
...what should appear in the logs here? How are you going to tell which
fd each munmap() belongs to?
Maybe you mean "log inode/device for the file" and not "original fd",
and then if/when you get confused it doesn't matter?
--
James Antill <jantill at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070128/6dd1d83f/attachment.sig>
More information about the Linux-audit
mailing list