Re: [RFC][PATCH] (#6 U1) the latest incarnation
On Fri, 2005-03-25 at 12:05 -0500, Stephen Smalley wrote:
We are only talking about post hooks to generate audit messages via
audit_notify_watch() if the inode has previously been marked by
audit_attach_watch(). Given your other hooks, it should already be
possible to audit reads and writes to device nodes (since a watch should
be possible to attach using your existing hooks in
d_instantiate/d_splice_alias and notifications should be generated using
your hook in permission), so why not allow auditing of creates as well?
Given that udev makes /dev dynamic, it seems like watches might be
important there as well, eh?
As a trivial test of the ability to audit reads and writes to device
nodes already, I did:
auditctl -w /dev/null
and then did:
echo hello > /dev/null
As expected, this generated an audit record.
Hence, while it may be fine to omit symlinks, I see no reason to not
include an audit_notify_watch call at the end of vfs_mknod that allows
you to generate an audit record for device creations based on name, as
you can already attach watches to device nodes and generate audit for
opens on them.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency