Re: [RFC][PATCH 0/2] (#6 U2) filesystem auditing
On Wed, 2005-03-30 at 11:23 -0600, Timothy R. Chavez wrote:
> Why MAY_WRITE|MAY_EXEC
> here? It is true that you would have checked search permission to the
> parent directory, but that is handled by your permission hook, and this
> is for the newly created inode, not the directory, right?
Sure, this makes sense. I can pass a "0" here.
No, MAY_WRITE is correct (write access to the newly created inode).
MAY_EXEC doesn't make sense there. That was my point.
Hm. How about this: I watch as root, /audit/foo (an ls on /audit
reveals
that it may only be written to by root). Then, as a non-root user, I attempt
to mv /home/chavezt/bar /audit/foo. As expected, I'll fail, but no audit
record will be generated.
The rule is that we only receive records for a watched object once that object
is, well, watched (ie: after it's been created, before its been destroyed,
after it's moved in to, before it's moved out of, etc). Thus, the burden of
capturing failures is on the parent directory (which is intuitive right?).
Doing so will generate records (from lstat, open, etc via our permissions'
hook) about such failures. Is this reasonable?
I don't know - a question for Klaus I suppose.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency