Re: [RFC][PATCH] (#4) auditfs
* Klaus Weidner (klaus(a)atsec.com) wrote:
On Tue, Feb 22, 2005 at 01:58:42PM -0600, Timothy R. Chavez wrote:
> And admitedly, I am also being a little redundant in that
> the original code can already provide us with the read() and write()
> exit code and the file/directory being read from/written to. However,
> if we want to specifically monitor activity in the filesystem
> surrounding watched objects, then wouldn't these hooks in read(),
> write(), etc be vital? Klaus? How else will we know if a read() or
> write() trully succeeded or failed on a watched filesystem object?
read() and write() aren't considered security relevant operations since
they don't do any permission checks. From the CC point of view the
interesting call is open(), and if that's properly handled it's enough.
Does this potentially change with LSPP? Since LSM (SELinux as an
example) does actually check read/write?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net