[PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify
Eric Paris
eparis at redhat.com
Fri Jun 19 21:03:50 UTC 2009
On Tue, 2009-06-16 at 13:09 -0300, Klaus Heinrich Kiwi wrote:
> On Tue, 2009-06-16 at 11:43 -0400, Eric Paris wrote:
> > Note that audit watches don't use inotify to do any of the actual
> > auditing. They just use inotify to discover the watched files were
> > created or removed. So we weren't using much of the inotify feature
> > set.
>
> Eric,
>
> thanks for the thorough explanation.
>
> It's been a while since I last looked, but the file watches are being
> audited at the syscall level, right? So inotify/fsnotify is used to
> associate a filename to an inode when the file is created, or to
> deassociate when it is removed. Is the rename/mv also covered by those
> or differently? I remember that moving a file around doesn't invalidate
> it's rule (the file's inode is still the same), but auditctl -l doesn't
> follow the name around, for example.
>
> But that's also probably the right thing to do in that case, I'm not
> sure.
So fsnotify and inotify are the same in these regards. Basically a
watch is really on a "directory inode + a name" it's easiest to explain
what goes on in examples.
-F path=/tmp/dir1/file1 so the inotify/fsnotify watch is attached to
the /tmp/dir1 inode. We also maintain that what we care about is
"file1"
If you mv /tmp/dir1 to /tmp/dir2 the rule is deleted from the system
(and an audit config change record is written in the logs)
If instead you create /tmp/dir1/file1 we get a notification, update the
lists with the new inode number for /tmp/dir1/file1 and at syscall exit
will output a record if the /tmp/dir1/file1 was accessed.
If you delete /tmp/dir1/file1 or move it to /tmp/dir1/file2 we will
update the lists with the fact that there is no inode
for /tmp/dir1/file1 and so when a syscall exits it will not obviously
not find that it needs to output a record.
So we handle add/remove/mv of the actual file of a watch as would be
expected. If the file this syscall accessed was called [blah] at
syscall exit we will emit a watch. If the file wasn't called [blah] we
won't. The only thing interested is removing or moving the parent
directory, which actually removes the whole rule never to return.
-Eric
More information about the Linux-audit
mailing list