[RFC][PATCH] (#4) auditfs
Timothy R. Chavez
chavezt at gmail.com
Thu Feb 24 16:32:58 UTC 2005
On Thu, 24 Feb 2005 10:06:00 -0500, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Wed, 2005-02-23 at 17:26 -0600, Timothy R. Chavez wrote:
> > Ok, great. I've removed the hooks. I can also get away with taking
> > the hooks out of unlink right because I should be hitting permission()
> > in access(), before I do the unlink()?
>
> Not sure what you mean by access() - do you mean permission()?
>
> In any event, you still need a hook in vfs_unlink() if you want to catch
> the actual victim inode, as that isn't passed to any permission() call.
Right. My mistake. I was naively going off strace. Thanks.
>
> --
> Stephen Smalley <sds at tycho.nsa.gov>
> National Security Agency
>
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list