Re: [PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify
On Tue, 2009-06-16 at 11:43 -0400, Eric Paris wrote:
Note that audit watches don't use inotify to do any of the
actual
auditing. They just use inotify to discover the watched files were
created or removed. So we weren't using much of the inotify feature
set.
Eric,
thanks for the thorough explanation.
It's been a while since I last looked, but the file watches are being
audited at the syscall level, right? So inotify/fsnotify is used to
associate a filename to an inode when the file is created, or to
deassociate when it is removed. Is the rename/mv also covered by those
or differently? I remember that moving a file around doesn't invalidate
it's rule (the file's inode is still the same), but auditctl -l doesn't
follow the name around, for example.
But that's also probably the right thing to do in that case, I'm not
sure.
-Klaus
--
Klaus Heinrich Kiwi <klausk(a)linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center