[RFC][PATCH] (#2) Prelim in-kernel file system auditing support

Serge Hallyn serue at us.ibm.com
Tue Jan 25 20:50:28 UTC 2005


Right, so I guess the correct check will involve perhaps checking
nd.last!=NULL before d_lookup, or dentry != nd.dentry after the
d_lookup?

(I don't know offhand what nd.last looks like if you looked up '/'.)

-serge

On Tue, 2005-01-25 at 11:20 -0800, Chris Wright wrote:
> * Serge Hallyn (serue at us.ibm.com) wrote:
> > But you're looking up the parent of the file.  So if you call
> > audit_insert_watch("/.autofsck"); then nd will be the nameidata for '/'.
> > You're going to check that the parent is not '/', whereas before you
> > were checking that the file is not '/'.  Clearly you want the latter.
> > 
> > That's not to say the strcmp(path, "/') will be acceptable upstream,
> > though.
> 
> No, it's not.  It also doesn't mean much.  Think "///", or "../../../".
> These are user strings.  If it's an issue, better compare against
> something sane like resolved internal data structure.
> 
> thanks,
> -chris
-- 
Serge Hallyn <serue at us.ibm.com>




More information about the Linux-audit mailing list