Re: [RFC][PATCH] (#6 U1) the latest incarnation
* Stephen Smalley (sds(a)tycho.nsa.gov) wrote:
On Fri, 2005-03-25 at 11:07 -0600, Timothy R. Chavez wrote:
> I'm not entirely sure we should hook mknod or symlink. We're not making any
> claims about the watchability of a device, or symlink with this code. Do you
> agree?
We are only talking about post hooks to generate audit messages via
audit_notify_watch() if the inode has previously been marked by
audit_attach_watch(). Given your other hooks, it should already be
possible to audit reads and writes to device nodes (since a watch should
be possible to attach using your existing hooks in
d_instantiate/d_splice_alias and notifications should be generated using
your hook in permission), so why not allow auditing of creates as well?
Given that udev makes /dev dynamic, it seems like watches might be
important there as well, eh?
I agree, I see no reason to exclude these. They're just inodes in the
filesystem.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net