[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs



On Wed, 2004-12-15 at 12:03, Timothy R. Chavez wrote:
> That seems like a pretty good idea since all the information about the
> syscall will be covered else where, all we really need is a place
> where we have the inode and access to its audit data.  The two places
> (maybe three? vfs_mknod?) vfs_create and vfs_mkdir (vfs_link wouldn't
> be necessary if we assume a hardlink's inode audit information is
> never overwritten ever)

Do you mean hooks for preserving audit attributes?  Yes, you would still
need hooks for that purpose, but for simply enabling auditing based on
object identity, a single hook in permission may be sufficient, where
that hook would check whether the object was auditable and if so, add
the object identity and requested permission mask to a list hung off of
curent->audit_context for later processing by audit_syscall_exit (in
determining whether or not to audit) and audit_log_exit (in providing
supplementary audit information in the audit record).

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]