Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support

On Tue, 25 Jan 2005 16:46:54 -0600, Serge Hallyn <serue(a)us.ibm.com&gt; wrote: > On Tue, 2005-01-25 at 15:25 -0600, Timothy R. Chavez wrote: > > Any accesses on that inode, > > in that namespace (presumably the only access we care about), by an > > audited syscall will be noted and sent to userspace. Isn't that > > sufficient? > > Not quite right: Any access to that inode from any namespace. Another > namespace might simply mean that you have a different path to the inode. > Alright, I see better now the concern. But because the audit information is associated with the inode via an administrator action, it still remains true that any access to that inode will be caught, from any namespace. Correct?

I guess the assumption here is that the administrator knows that he/she is in the right namespace when adding/removing watches so that they tag the appropriate inodes.