On Thursday 02 June 2005 07:18, Steve Grubb wrote:
On Wednesday 01 June 2005 17:30, Timothy R. Chavez wrote:
> -> there's only two ways we can remove from a watchlist and neither will
> contend with the other.
>
> (2) audit_inode_data is being freed, inode is no longer reachable for
> administrative action
So does this mean that when you have a watch on a file and the inode changes
or is unreachable, the watch disappears? Shouldn't watches exist until
deleted by the admin?
Let me clarify for you what's going on. The watch in the watchlist has a refcount.
So, if we're deleting the inode, at the same time as removing the watch, the watch
will not be destroyed until its refcount drops to 0.
If the refcount drops to 0 when we're freeing an inode it means that the watch
was removed from the watchlist during the unlink() (meaning audit_update_watch()
did not have a chance to look at it) so we'll catch it in audit_free_inode() when we
put our reference back.
In general audit_update_watch() will catch watch removals by checking to see whether
or node the inode's reference to the watch is unhashed.
The only thing we have to watch out for is reading the master watchlist and having an
inode deleted from under us... but we should be able to protect against that with the
global spinlock.
Make sense? Perhaps I missed something... I am going "code crazy".
-tim
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit