Re: [RFC][PATCH] (#4) auditfs
On Tue, 2005-02-22 at 10:42 -0600, Timothy R. Chavez wrote:
- Hooks in vfs_read/write/unlink (please look closely here). The
rule
of thumb I went off of is: I can call my hook iff I have an inode and
I'm NOT hooking lookup_hash *nudge Stephen* :)
<snip>
Three hooks for dynamically assigning watches:
d_splice_alias, d_move, d_instantiate
Five hooks for dynamically adding watches to our context:
permission, exec_permission_lite, vfs_read, vfs_write, vfs_unlink
Why do you hook vfs_read/vfs_write when you have a hook in permission?
If you are trying to audit actual reads and writes, then there are other
cases to consider, e.g. do_sendfile(), plus fun with AIO. Much easier
if you can just stay with auditing open(2) calls via your permission(9)
hook.
There is a known race with respect to d_instantiate and file creation,
but it needs to be resolved anyway for SELinux, so I think you can
proceed under the assumption that it will be fixed. Alternatively, you
would need to move your hook call prior to the setting of d_inode in the
dentry and pass in the inode separately to your hook.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency