[RFC] linux-2.6.10-auditfs-tc1.patch

Timothy R. Chavez chavezt at gmail.com
Thu Jan 20 17:05:14 UTC 2005


On Thu, 20 Jan 2005 15:58:20 +0000, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Thu, 2005-01-20 at 09:47 -0600, Timothy R. Chavez wrote:
> > On Thu, 20 Jan 2005 13:32:27 +0000, David Woodhouse <dwmw2 at infradead.org> wrote:
> > > Can we make the i_audit field in struct inode dependent on
> > > CONFIG_AUDITFILESYSTEM?
> >
> > Sure, I'm glad you pointed that out.
> 
> You also have to do likewise in fs/inode.c, and fs/namei.c doesn't build
> with CONFIG_AUDITFILESYSTEM disabled because it uses the return value of
> audit_notify_watch().

Doh!  Thanks

> 
> You don't seem to be logging the _result_ of the permission() call, or
> am I missing something?

Good question, actually.  I just did a test and tried to cp a user
file into /etc at a watched location, and it logs the syscall and
attempted file access, and in theory the exit (return_value) of the
syscall should be negative, upon failure, right?  And this should tell
you the entire story ("Access to this <watched file>
<succeeded/failed>").  But its giving me some super large number in
the log as the exit/return code... Maybe I'm missing something, but
why is the return code being logged out with a %u and not a %d?

if (context->return_valid)
        audit_log_format(ab, " exit=%u", context->return_code);

<snip>

> --
> dwmw2
> 
> 
-- 
- Timothy R. Chavez




More information about the Linux-audit mailing list