[RFC][PATCH] (#2) Prelim in-kernel file system auditing support

Timothy R. Chavez chavezt at gmail.com
Tue Jan 25 18:29:58 UTC 2005


On Tue, 25 Jan 2005 09:40:00 -0800 (PST), Casey Schaufler
<casey at schaufler-ca.com> wrote:
> 
> --- "Timothy R. Chavez" <chavezt at gmail.com> wrote:
> 
> > I'd appreciate any and all comments / feedback.
> 
> Not bad. Couple of comments/questions:
> 
> > +     /* The root directory cannot be watched */
> > +     if (!strcmp(path, "/")) {
> > +             ret = -EPERM;
> > +             goto audit_remove_watch_exit;
> 
> What are the implications regarding a chroot
> environment? I can imagine (although it strikes
> me as somewhat insane) an admin wanting to audit
> everything that goes on in a chroot environment,
> say for a honeypot. The watching would have to
> be enabled from outside. Not a bad thing, but is
> it what you want?

To be honest, I haven't really considered the chroot environment.  I
guess the check really needs to be after the lookup and I should
check:

if(nd.dentry == nd.dentry->d_parent) {
        return -EPERM;
        ....
}

The reason for this is simple.  You can't watch yourself.  Is this a problem?

> 
> > +/* The structure that stores information about
> files/directories being
> > + * watched in the filesystem, that the syscall
> accessed.
> > + */
> > +
> > +struct audit_file {
> > +     struct audit_watch *watch;
> > +     struct list_head list;
> > +     unsigned long ino;
> > +     umode_t mode;
> > +     uid_t uid;
> > +     gid_t gid;
> > +     dev_t rdev;
> > +     int mask;
> > +};
> 
> Where does one put the ACL, MAC label, and/or
> capability set of the file? I may not be able
> to go get it later, as it may change or worse,
> the file might be gone by then.

I've not given this any thought.  This is on the table and needs to
furthered discussed.  Klaus?

> =====
> Casey Schaufler
> casey at schaufler-ca.com
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - Helps protect you from nasty viruses.
> http://promotions.yahoo.com/new_mail
> 


-- 
- Timothy R. Chavez




More information about the Linux-audit mailing list