Re: [RFC][PATCH 1/2] file system auditing (#6U3)
On Mon, 2005-04-04 at 10:34 -0500, Timothy R. Chavez wrote:
[PATCH 1/2]
The first patch consists of the file system hooks. Brief explanations of hook
placement and purpose are provided. Terminology, such as "watch" and
"watch point", are defined in the next message.
Should note that this patch and explanation is included at the end of
this message. "next message" is possibly confusing; possibly clarify
with "second patch".
Deletion:
may_delete() [vfs_unlink()/rmdir()]:
Notify the audit subsystem when an object successfully leaves a "watch point".
The hook appears in may_delete() after we have determined the victim dentry
has an inode.
This is more akin to permission, i.e. notify when checking permissions
to delete a file. The text above suggests that the object has already
been deleted, which is not yet true.
@@ -1557,6 +1564,7 @@ int vfs_mknod(struct inode *dir, struct
DQUOT_INIT(dir);
error = dir->i_op->mknod(dir, dentry, mode, dev);
if (!error) {
+ audit_notify_watch(dentry->d_inode, MAY_WRITE|MAY_EXEC);
inode_dir_notify(dir, DN_CREATE);
security_inode_post_mknod(dir, dentry, mode, dev);
}
Looks like you forgot to reduce this one to just MAY_WRITE.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency