[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

best way to audit in vfs



Hello,

I've been kind of thinking about this.  Presumably, we want to audit
both failed and successful attempts in whatever vfs function we happen
to be in.  For instance, if we fall out of vfs_mkdir because
may_create returned an error, we'd like to receive an audit message
that said something like, "filename=myfile syscall= mkdir()
error=<errno>.....", but, would I want to do this by hooking each
conditional statement?  Is there a better approach?  The only other
one I can think of would be to have one exit point in the functions
and audit right before we exit...

i.e.:

int vfs_create(struct inode *dir, struct dentry *dentry, int mode,
                struct nameidata *nd)
{
        int error = may_create(dir, dentry, nd);

        if (error)
                goto vfs_create_exit;

        if (!dir->i_op || !dir->i_op->create) {
                error = -EACCES;
                goto vfs_create_exit;
        }
        mode &= S_IALLUGO;
        mode |= S_IFREG;
        error = security_inode_create(dir, dentry, mode);
        if (error)
                goto vfs_create_exit;
        DQUOT_INIT(dir);
        error = dir->i_op->create(dir, dentry, mode, nd);
        if (!error) {
                inode_dir_notify(dir, DN_CREATE);
                security_inode_post_create(dir, dentry, mode);
        }

        vfs_create_exit:
        audit_inode_create(dir, dentry, error, mode);
        return error;
}

-- 
- Timothy R. Chavez


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]