[RFC][PATCH] (#2) Prelim in-kernel file system auditing support

Serge Hallyn serue at us.ibm.com
Tue Jan 25 20:24:04 UTC 2005


> > Not bad. Couple of comments/questions:
> > 
> > > +     /* The root directory cannot be watched */
> > > +     if (!strcmp(path, "/")) {
> > > +             ret = -EPERM;
> > > +             goto audit_remove_watch_exit;
> > 
> > What are the implications regarding a chroot
> > environment? I can imagine (although it strikes
> > me as somewhat insane) an admin wanting to audit
> > everything that goes on in a chroot environment,
> > say for a honeypot. The watching would have to
> > be enabled from outside. Not a bad thing, but is
> > it what you want?
> 
> To be honest, I haven't really considered the chroot environment.  I
> guess the check really needs to be after the lookup and I should
> check:
> 
> if(nd.dentry == nd.dentry->d_parent) {
>         return -EPERM;
>         ....
> }
> 
> The reason for this is simple.  You can't watch yourself.  Is this a problem?

But you're looking up the parent of the file.  So if you call
audit_insert_watch("/.autofsck"); then nd will be the nameidata for '/'.
You're going to check that the parent is not '/', whereas before you
were checking that the file is not '/'.  Clearly you want the latter.

That's not to say the strcmp(path, "/') will be acceptable upstream,
though.

-serge
-- 
Serge Hallyn <serue at us.ibm.com>




More information about the Linux-audit mailing list