Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support
On Tue, 2005-01-25 at 15:25 -0600, Timothy R. Chavez wrote:
Can you ellaborate on why you think namespaces are an issue?
I'm
having a hard time understanding why this would be any more of a
problem then any other intentional subversion of the audit subsystem
by the administrator (where administrator == root). Perhaps there is
a way for a user process to subvert the audit subsystem using
namespace trickory?
I'm not sure it's a _problem_ but I just wanted to make sure you bear it
in mind.
If the root user issues a "watch /etc/passwd" it will
resolve to the
inode for passwd in the given namespace. Any accesses on that inode,
in that namespace (presumably the only access we care about), by an
audited syscall will be noted and sent to userspace. Isn't that
sufficient?
Possibly; as long as the owner of the namespace can't mount the file
system containing it elsewhere, or 'mount --bind /etc /tmp/x' and get
round the watch. Your method of attaching to the dentry looks like it
works correctly in that case, but again I wanted to be sure it's by
design, and it stays that way.
--
dwmw2