Re: [RFC][PATCH] (#6 U1) the latest incarnation
On Friday 25 March 2005 12:16 pm, Stephen Smalley wrote:
On Fri, 2005-03-25 at 10:46 -0600, Timothy R. Chavez wrote:
> I've kind of struggled with this one and am was a bit reluctant to add
> it. Perhaps my logic is right, bu there's a better placement. The reason
> why the hook was placed in __d_lookup() was to auto-update a hardlink
> with the correct watch. The only way a hardlink will generate audit
> records is if it's inode is being watched and the only way the inode can
> be watched is if one of it's dentry's is at a watch point. So, take this
> scenario for example -- this is how we should currently perform:
Are you also relying on the __d_lookup() hook to properly update/clear
i_audit->wentry fields for inodes already in the dcache for removed
watches (i.e. after an auditctl -W /tmp/foo, the subsequent
audit_attach_watch call by __d_lookup is what will reset the i_audit
field for /tmp/foo)?
Yes, that is correct. So it is also used to clear out any references to an
unhashed wentry. So when we look for a wentry and we get NULL back, we first
put back our reference to the unhashed wentry (and provided all other
references are dropped, put our memory back into the cache) and
audit_wentry_get(NULL).
-tim