Re: [RFC][PATCH] auditfs userspace
On Tue, 8 Mar 2005 09:29:19 -0500, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday 07 March 2005 18:00, Timothy R. Chavez wrote:
> Here's the userspace patch for audit-0.6.5 -- It doesn't work as is.
>
> So please break..er test my code :)
Shouldn't these defines come from the kernel header?
diff -Nurp audit-0.6.5/src/auditctl.c audit-0.6.5-scratch/src/auditctl.c
--- audit-0.6.5/src/auditctl.c 2005-03-03 10:11:00.000000000 -0600
+++ audit-0.6.5-scratch/src/auditctl.c 2005-03-07 15:56:19.000000000 -0600
@@ -49,6 +49,14 @@
*/
#define LINE_SIZE 1600
+#define WATCH_MAY_EXEC 1
+#define WATCH_MAY_WRITE 2
+#define WATCH_MAY_READ 4
+#define WATCH_MAY_APPEND 8
+
+#define WATCH_NAME 1
+#define WATCH_FILTERKEY 2
+#define WATCH_PERMS 3
Also, just a little design comment, do we really need to have an enable for fs
auditing? Isn't there an implicit enabling by virtue of either having watches
or not having them?
Also, should there be a #ifdef CONFIG_AUDITFILESYSTEM? Shouldn't it be part of
the audit system? The audit ipc patch, for example, didn't declare itself
separately configurable.
-Steve
The bottom define's are simply used by the audit_watch_setup function
in userspace to figure out what part of the watch to setup. There's
no reason for them to be in the kernel. . The auditfs piece does not
use the top four macros at all so I see no reason for them to be in
kernel space either. These values come from include/linux/fs.h and I
thought it'd be easiest just to mirror them in userspace by copying
them over.
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
--
- Timothy R. Chavez