Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support
> Not bad. Couple of comments/questions:
>
> > + /* The root directory cannot be watched */
> > + if (!strcmp(path, "/")) {
> > + ret = -EPERM;
> > + goto audit_remove_watch_exit;
>
> What are the implications regarding a chroot
> environment? I can imagine (although it strikes
> me as somewhat insane) an admin wanting to audit
> everything that goes on in a chroot environment,
> say for a honeypot. The watching would have to
> be enabled from outside. Not a bad thing, but is
> it what you want?
To be honest, I haven't really considered the chroot environment. I
guess the check really needs to be after the lookup and I should
check:
if(nd.dentry == nd.dentry->d_parent) {
return -EPERM;
....
}
The reason for this is simple. You can't watch yourself. Is this a problem?
But you're looking up the parent of the file. So if you call
audit_insert_watch("/.autofsck"); then nd will be the nameidata for
'/'.
You're going to check that the parent is not '/', whereas before you
were checking that the file is not '/'. Clearly you want the latter.
That's not to say the strcmp(path, "/') will be acceptable upstream,
though.
-serge
--
Serge Hallyn <serue(a)us.ibm.com>