[RFC] linux-2.6.10-auditfs-tc1.patch
Timothy R. Chavez
chavezt at gmail.com
Thu Jan 20 17:05:14 UTC 2005
On Thu, 20 Jan 2005 15:58:20 +0000, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Thu, 2005-01-20 at 09:47 -0600, Timothy R. Chavez wrote:
> > On Thu, 20 Jan 2005 13:32:27 +0000, David Woodhouse <dwmw2 at infradead.org> wrote:
> > > Can we make the i_audit field in struct inode dependent on
> > > CONFIG_AUDITFILESYSTEM?
> >
> > Sure, I'm glad you pointed that out.
>
> You also have to do likewise in fs/inode.c, and fs/namei.c doesn't build
> with CONFIG_AUDITFILESYSTEM disabled because it uses the return value of
> audit_notify_watch().
Doh! Thanks
>
> You don't seem to be logging the _result_ of the permission() call, or
> am I missing something?
Good question, actually. I just did a test and tried to cp a user
file into /etc at a watched location, and it logs the syscall and
attempted file access, and in theory the exit (return_value) of the
syscall should be negative, upon failure, right? And this should tell
you the entire story ("Access to this <watched file>
<succeeded/failed>"). But its giving me some super large number in
the log as the exit/return code... Maybe I'm missing something, but
why is the return code being logged out with a %u and not a %d?
if (context->return_valid)
audit_log_format(ab, " exit=%u", context->return_code);
<snip>
> --
> dwmw2
>
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list