Re: best way to audit in vfs
On Wed, Dec 15, 2004 at 09:47:38AM +1100, Leigh Purdie wrote:
On Tue, 2004-12-14 at 15:42 -0600, Serge E. Hallyn wrote:
> No, I think we all agree that anything much more complicated should be done
> in userspace. The only real reason to care about doing some in kernel space,
> I think, is to minimize wasted kernel->auditd traffic.
Caveat: I don't recommend asking userspace to grab the full path name
from inode information supplied by the kernel, as has been suggested in
the past. Although this shifts the burden of processing in the right
direction (ie: to user-space), by the time the inode info gets there,
the file might have already gone.
Agreed, none of the current approaches are planning to do that.
UID/GID -> User/Group Name has similar issues I guess, but much
harder
to cover (as the kernel generally doesn't have visibility of user
names).
Well, at least here the mapping can be changed only by trusted processes,
so this doesn't seem exploitable. Since CAPP requires changes to the user
database to be audited, the information to reconstruct the correct
meaning would be present in audit records.
-Klaus