[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support

--- "Timothy R. Chavez" <chavezt gmail com> wrote:

> I'd appreciate any and all comments / feedback. 

Not bad. Couple of comments/questions:

> +	/* The root directory cannot be watched */
> +	if (!strcmp(path, "/")) {
> +		ret = -EPERM;
> +		goto audit_remove_watch_exit;

What are the implications regarding a chroot
environment? I can imagine (although it strikes
me as somewhat insane) an admin wanting to audit
everything that goes on in a chroot environment,
say for a honeypot. The watching would have to
be enabled from outside. Not a bad thing, but is
it what you want?

> +/* The structure that stores information about
files/directories being
> + * watched in the filesystem, that the syscall
> + */
> +
> +struct audit_file {
> +	struct audit_watch *watch;
> +	struct list_head list;
> +	unsigned long ino;
> +	umode_t mode;
> +	uid_t uid;
> +	gid_t gid;
> +	dev_t rdev;
> +	int mask;
> +};

Where does one put the ACL, MAC label, and/or
capability set of the file? I may not be able
to go get it later, as it may change or worse,
the file might be gone by then.

Casey Schaufler
casey schaufler-ca com

Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]