Re: [RFC][PATCH] (#6) filesystem auditing
On Tuesday 15 March 2005 06:44 am, Stephen Smalley wrote:
On Mon, 2005-03-14 at 17:14 -0600, Timothy R. Chavez wrote:
> The hooks appear in:
> fs/inode.c: destroy_inode(), alloc_inode()
> fs/dcache.c: d_move(), d_delete(), __d_lookup()
> fs/namei.c: permission(), exec_permission_lite(), may_delete()
>
> I think I've corrected the d_move() leakage by placing two hooks to
> audit_watch() in d_move() that works on the source dentry and the target
> dentry.
What happened to your d_instantiate/d_splice_alias hooks?
Well it seems like I'm getting the coverage I need with just these three. The
association of a watch to the inode is lazy now. Also, I was trying to take
advantage of the locking around the hooks. I found that d_lock was a great
way of doing this with respect to protecting the audit_watch() hook from evil
audit_remove_watch() requests. I suppose, however, if these hooks are
essential, I could add them in under the protection of the dcache_lock in a
place such that the audit_remove_watch() shouldn't have access to them.
-tim