close(2) not being audited?
Timothy R. Chavez
tinytim at ibm.com
Sat Jan 27 00:03:22 UTC 2007
On Fri, 26 Jan 2007 18:29:10 -0500
Alexander Viro <aviro at redhat.com> wrote:
> On Fri, Jan 26, 2007 at 05:01:12PM -0600, Timothy R. Chavez wrote:
> > > What do you want in the log? More specifically, _when_ do you want it?
> >
> > Write out a log when the last reference to the fd is put back... whether
> > that's from a close or an munmap.
>
> BTW... Consider the following: threads A and B share descriptor table.
> Their stdin is a terminal.
> Apr 1: thread A calls read(0, buf, 512);
> Apr 2: thread B does close(0);
> May 1: user hits enter
>
> After Apr 2 we'll have descriptor 0 closed. Thread A is still sitting in
> read() and it couldn't care less about descriptors. The file is still
> opened, even though all descriptors are gone.
>
> On May 1 read() in thread A finally completes. Upon exit from read()
> we give up a reference to file, so it finally gets closed.
>
> IOW, you'll get "it's been closed by read(2)" in logs. The same
> may apply to any system call doing file IO. So userland would better
> not assume that something recognizable is doing that...
That seems perfectly reasonable to me.
-tim
More information about the Linux-audit
mailing list