Re: audit 0.7.4 released
On Mon, 2005-05-09 at 11:17 -0400, Valdis.Kletnieks(a)vt.edu wrote:
On Mon, 09 May 2005 10:10:01 CDT, "Timothy R. Chavez"
said:
> I've removed the path_lookup from the audit_to_transport code block.
> Perhaps, we can attempt to find the path via user space once the watch
> is returned (with path), rather then doing it in the kernel. Then user
> space can set the w_valid field.
This sounds incredibly racy to me, especially in the cases we care about
(like the re-writing of /etc/passwd by creating a tempfile and renaming it).
Not sure if it really matters in the case I'm talking about We're just
getting a list of all the watches in the file system with the paths that
were used to insert them. As we get our reply, we're still holding the
audit_netlink_sem, so there's no chance of external removal of watches.
There is a chance that while we list watches, we move a directory that
has an 'active' watchlist (which destroys all the watches). However, I
really don't think, even this case trully matters.
The list feature can only give us a "snapshot in time" anyway. It
shouldn't be gospel.
-tim
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit