Re: [PATCH] cleanups + fixes against audit.56
On Wednesday 15 June 2005 15:06, Steve Grubb wrote:
On Wednesday 15 June 2005 15:56, Timothy R. Chavez wrote:
> 4. PATH record woes... add a new token stating "I'm the parent of the
file
> or I'm the file"
If we are required to emit a record for the file and you add a label saying
its the directory...don't we still need to dig up the file's attributes? I
think labeling it makes the mode clear to what it belongs to, but the intent
was to provide a record with the *correct* attributes for the object. I
think that in the case where we have a mismatch, the code needs to go dig up
the correct mode of the file instead of "getting it for free".
Well, its intuitive that the information being reported is the parent's information
and not the childs in these certain cases. But you have to understand how the
system call works and I think that's where the real problem lies. To do what you
suggest would/could get quite ugly I think. We can already get all this info from
watching the child...
Rik's hook can only give back the _relevant_ information the system call was able
to use when deciding its courses of action. In some cases that's the parent and
in others it's the child.
I think we're abusing the original purpose of the hook.
-tim
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit