Re: [RFC] linux-2.6.10-auditfs-tc1.patch
On Thu, 20 Jan 2005 15:58:20 +0000, David Woodhouse <dwmw2(a)infradead.org> wrote:
On Thu, 2005-01-20 at 09:47 -0600, Timothy R. Chavez wrote:
> On Thu, 20 Jan 2005 13:32:27 +0000, David Woodhouse <dwmw2(a)infradead.org>
wrote:
> > Can we make the i_audit field in struct inode dependent on
> > CONFIG_AUDITFILESYSTEM?
>
> Sure, I'm glad you pointed that out.
You also have to do likewise in fs/inode.c, and fs/namei.c doesn't build
with CONFIG_AUDITFILESYSTEM disabled because it uses the return value of
audit_notify_watch().
Doh! Thanks
You don't seem to be logging the _result_ of the permission() call, or
am I missing something?
Good question, actually. I just did a test and tried to cp a user
file into /etc at a watched location, and it logs the syscall and
attempted file access, and in theory the exit (return_value) of the
syscall should be negative, upon failure, right? And this should tell
you the entire story ("Access to this <watched file>
<succeeded/failed>"). But its giving me some super large number in
the log as the exit/return code... Maybe I'm missing something, but
why is the return code being logged out with a %u and not a %d?
if (context->return_valid)
audit_log_format(ab, " exit=%u", context->return_code);
<snip>
--
dwmw2
--
- Timothy R. Chavez