Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support
--- "Timothy R. Chavez" <chavezt(a)gmail.com> wrote:
I'd appreciate any and all comments / feedback.
Not bad. Couple of comments/questions:
+ /* The root directory cannot be watched */
+ if (!strcmp(path, "/")) {
+ ret = -EPERM;
+ goto audit_remove_watch_exit;
What are the implications regarding a chroot
environment? I can imagine (although it strikes
me as somewhat insane) an admin wanting to audit
everything that goes on in a chroot environment,
say for a honeypot. The watching would have to
be enabled from outside. Not a bad thing, but is
it what you want?
+/* The structure that stores information about
files/directories being
+ * watched in the filesystem, that the syscall
accessed.
+ */
+
+struct audit_file {
+ struct audit_watch *watch;
+ struct list_head list;
+ unsigned long ino;
+ umode_t mode;
+ uid_t uid;
+ gid_t gid;
+ dev_t rdev;
+ int mask;
+};
Where does one put the ACL, MAC label, and/or
capability set of the file? I may not be able
to go get it later, as it may change or worse,
the file might be gone by then.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail