Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support
On Tue, 25 Jan 2005 09:40:00 -0800 (PST), Casey Schaufler
<casey(a)schaufler-ca.com> wrote:
--- "Timothy R. Chavez" <chavezt(a)gmail.com> wrote:
> I'd appreciate any and all comments / feedback.
Not bad. Couple of comments/questions:
> + /* The root directory cannot be watched */
> + if (!strcmp(path, "/")) {
> + ret = -EPERM;
> + goto audit_remove_watch_exit;
What are the implications regarding a chroot
environment? I can imagine (although it strikes
me as somewhat insane) an admin wanting to audit
everything that goes on in a chroot environment,
say for a honeypot. The watching would have to
be enabled from outside. Not a bad thing, but is
it what you want?
To be honest, I haven't really considered the chroot environment. I
guess the check really needs to be after the lookup and I should
check:
if(nd.dentry == nd.dentry->d_parent) {
return -EPERM;
....
}
The reason for this is simple. You can't watch yourself. Is this a problem?
> +/* The structure that stores information about
files/directories being
> + * watched in the filesystem, that the syscall
accessed.
> + */
> +
> +struct audit_file {
> + struct audit_watch *watch;
> + struct list_head list;
> + unsigned long ino;
> + umode_t mode;
> + uid_t uid;
> + gid_t gid;
> + dev_t rdev;
> + int mask;
> +};
Where does one put the ACL, MAC label, and/or
capability set of the file? I may not be able
to go get it later, as it may change or worse,
the file might be gone by then.
I've not given this any thought. This is on the table and needs to
furthered discussed. Klaus?
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
--
- Timothy R. Chavez