Re: [RFC][PATCH] (#6 U1) the latest incarnation
On Fri, 2005-03-25 at 12:25 -0500, Stephen Smalley wrote:
> # We get a record for "foo"
> cat /tmp/bar
> rm /tmp/foo
> # __d_lookup() does its magic and we get a record for "bar"
> cat /tmp/bar
Wait. We are still dealing with the same inode at this point. Why was
its i_audit field changed by the delete if there are other hard links
present? Don't we want to preserve auditing on the inode in such a
case, irrespective of whether /tmp/bar had a watch or not, just because
of the original watch on /tmp/foo?
Ok, I guess not, as the inode will eventually become "unwatched" anyway
if it is evicted and then re-looked up as /tmp/bar or if the system
reboots. The particular scenario seems a bit contrived, but the more
general case you mention later (file has multiple hard links, all with
watches defined a priori, the inode picks up the watch for whatever name
is used first to access it, and then that link is deleted) does seem
like a legitimate concern, as you don't want to lose auditing for
accessing the inode via the other links at that point.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency