On Tuesday 29 March 2005 08:50 am, Steve Grubb wrote:
On Monday 28 March 2005 20:55, Timothy R. Chavez wrote:
> -> Added support for watch listing in auditctl
I'm happy we have something. However, we never finished the discussion from
yesterday. I don't think you should have to pass a path to list the
watches. Let's just walk the watch list and dump the strings. Maybe what
you are thinking of is a watch status command? Pass a path and it tells you
what device and namespace its bound to. But I'm just guessing since we need
to finish the questions I posed yesterday:
Sorry, I went to a Jon "Maddog" Hall presentation on Economics & Open Source
-- good stuff. I tried to explain to you why I felt it wouldn't be a good
idea to just dump the strings. What you'd get right now is something like:
'name=foo, filterkey=fk_foo, permissions=15'
To me, this isn't that informative, because you have no idea where 'foo' is.
I mean, I can add this, if this is what you want -- it can use the same
master list that the "remove all" feature will eventually use. However, no
plans for this in the near near future (week) -- must get to linux-fsdevel.
1) Can you explicitly state the namespace or device when you load a watch?
No, this is implied by the path you specify.
2) Does the device and namespace get implicitly bound to the path by virtue
of who loaded the watch and the mount table that in effect at the time the
rule was loaded?
Yes.
3) Does the watch work for all name spaces and devices?
All namespaces: Yes. Same inode no matter which view of the file system
you're using.
All devices: No. Different devices, different inodes. Thus, we may not mount
over a watched path and expect a remapping of watches on top of it. Why?
These aren't the same objects that the administrator targetted for audit (and
plus, it'd be really hard to do with the current design ;-)).
These topics need to be documented for the man page.
> + Changed types in libaudit to be identical to the types of audit_watch
> in audit.h
I'll readjust the types to userspace types. __u32 is kernel. uint32_t is
userspace.
Alright.
Thanks,
-Steve
-tim