[RFC][PATCH 1/2] file system auditing (#6U3)
Stephen Smalley
sds at tycho.nsa.gov
Mon Apr 4 15:57:27 UTC 2005
On Mon, 2005-04-04 at 10:34 -0500, Timothy R. Chavez wrote:
> [PATCH 1/2]
> The first patch consists of the file system hooks. Brief explanations of hook
> placement and purpose are provided. Terminology, such as "watch" and
> "watch point", are defined in the next message.
Should note that this patch and explanation is included at the end of
this message. "next message" is possibly confusing; possibly clarify
with "second patch".
> Deletion:
>
> may_delete() [vfs_unlink()/rmdir()]:
> Notify the audit subsystem when an object successfully leaves a "watch point".
> The hook appears in may_delete() after we have determined the victim dentry
> has an inode.
This is more akin to permission, i.e. notify when checking permissions
to delete a file. The text above suggests that the object has already
been deleted, which is not yet true.
> @@ -1557,6 +1564,7 @@ int vfs_mknod(struct inode *dir, struct
> DQUOT_INIT(dir);
> error = dir->i_op->mknod(dir, dentry, mode, dev);
> if (!error) {
> + audit_notify_watch(dentry->d_inode, MAY_WRITE|MAY_EXEC);
> inode_dir_notify(dir, DN_CREATE);
> security_inode_post_mknod(dir, dentry, mode, dev);
> }
Looks like you forgot to reduce this one to just MAY_WRITE.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list