[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Serge Hallyn
serue at us.ibm.com
Tue Jan 25 20:24:04 UTC 2005
> > Not bad. Couple of comments/questions:
> >
> > > + /* The root directory cannot be watched */
> > > + if (!strcmp(path, "/")) {
> > > + ret = -EPERM;
> > > + goto audit_remove_watch_exit;
> >
> > What are the implications regarding a chroot
> > environment? I can imagine (although it strikes
> > me as somewhat insane) an admin wanting to audit
> > everything that goes on in a chroot environment,
> > say for a honeypot. The watching would have to
> > be enabled from outside. Not a bad thing, but is
> > it what you want?
>
> To be honest, I haven't really considered the chroot environment. I
> guess the check really needs to be after the lookup and I should
> check:
>
> if(nd.dentry == nd.dentry->d_parent) {
> return -EPERM;
> ....
> }
>
> The reason for this is simple. You can't watch yourself. Is this a problem?
But you're looking up the parent of the file. So if you call
audit_insert_watch("/.autofsck"); then nd will be the nameidata for '/'.
You're going to check that the parent is not '/', whereas before you
were checking that the file is not '/'. Clearly you want the latter.
That's not to say the strcmp(path, "/') will be acceptable upstream,
though.
-serge
--
Serge Hallyn <serue at us.ibm.com>
More information about the Linux-audit
mailing list