Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support
On Tue, 2005-01-25 at 21:37 +0000, David Woodhouse wrote:
Possibly; as long as the owner of the namespace can't mount the
file
system containing it elsewhere, or 'mount --bind /etc /tmp/x' and get
round the watch. Your method of attaching to the dentry looks like it
works correctly in that case, but again I wanted to be sure it's by
design, and it stays that way.
Yup, we've definately been keeping that in mind. And the ramifications
can get subtle, so please do let us know if you find a case we
overlooked. But as it stands, every meaningful case seems to be
handled:
watch /etc/passwd
chroot_ns /mnt/d6
touch /etc/passwd
that /etc/passwd is /mnt/d6/etc/passwd, so we don't care.
watch /etc/passwd
mount --bind /etc /mnt/d6/etc
chroot_ns /mnt/d6
touch /etc/passwd
since /mnt/d6/etc is in fact /etc, we will have the right watch list,
and /mnt/d6/etc/passwd will be watched.
watch /etc/passwd
touch /mtn/d6/etc/passwd
mount --bind /etc/passwd /mnt/d6/etc/passwd
chroot_ns /mnt/d6
touch /etc/passwd
(audited)
rm /etc/passwd
(audited)
touch /etc/passwd
(new file is *not* watched)
By the way, Tim, please test each case that I've mentioned here :) I'm
just saying our design should cover them. Please make sure!
thanks,
-serge
--
Serge Hallyn <serue(a)us.ibm.com>