Re: [RFC][PATCH 1/2] file system auditing (#6U3)
On Monday 04 April 2005 10:57 am, Stephen Smalley wrote:
On Mon, 2005-04-04 at 10:34 -0500, Timothy R. Chavez wrote:
> [PATCH 1/2]
> The first patch consists of the file system hooks. Brief explanations of
> hook placement and purpose are provided. Terminology, such as "watch"
> and "watch point", are defined in the next message.
Should note that this patch and explanation is included at the end of
this message. "next message" is possibly confusing; possibly clarify
with "second patch".
Good point.
> Deletion:
>
> may_delete() [vfs_unlink()/rmdir()]:
> Notify the audit subsystem when an object successfully leaves a "watch
> point". The hook appears in may_delete() after we have determined the
> victim dentry has an inode.
This is more akin to permission, i.e. notify when checking permissions
to delete a file. The text above suggests that the object has already
been deleted, which is not yet true.
Good point.
> @@ -1557,6 +1564,7 @@ int vfs_mknod(struct inode *dir, struct
> DQUOT_INIT(dir);
> error = dir->i_op->mknod(dir, dentry, mode, dev);
> if (!error) {
> + audit_notify_watch(dentry->d_inode, MAY_WRITE|MAY_EXEC);
> inode_dir_notify(dir, DN_CREATE);
> security_inode_post_mknod(dir, dentry, mode, dev);
> }
Looks like you forgot to reduce this one to just MAY_WRITE
Oops, I changed this, but forgot to diff a patch. I'll do this right now.
Thanks for looking.
I think I should also mention where to get the userspace tool.
--
-tim