Re: dev information for open, exec?
On Tue, 2005-02-22 at 09:54 -0800, Chris Wright wrote:
The dev value is actually rdev. So it's not bogus if you're
accessing,
for example, /dev/hda1. Reasonable question whether that's both
intentional and sufficient. Given namespace possibilities, I assumed
that dev/ino pair was dumped to uniquely identify the object.
Yes, this looks like a bug to me in the audit code, particularly as the
existing filter code lets you filter based on rdev and ino (whereas I'd
expect you would want to filter based on a specific object identified by
(dev,ino) pair). Should path_lookup() be passing nd->dentry->d_inode-
i_sb->s_dev to audit_inode() instead?
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency