[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Serge Hallyn
serue at us.ibm.com
Tue Jan 25 20:50:28 UTC 2005
Right, so I guess the correct check will involve perhaps checking
nd.last!=NULL before d_lookup, or dentry != nd.dentry after the
d_lookup?
(I don't know offhand what nd.last looks like if you looked up '/'.)
-serge
On Tue, 2005-01-25 at 11:20 -0800, Chris Wright wrote:
> * Serge Hallyn (serue at us.ibm.com) wrote:
> > But you're looking up the parent of the file. So if you call
> > audit_insert_watch("/.autofsck"); then nd will be the nameidata for '/'.
> > You're going to check that the parent is not '/', whereas before you
> > were checking that the file is not '/'. Clearly you want the latter.
> >
> > That's not to say the strcmp(path, "/') will be acceptable upstream,
> > though.
>
> No, it's not. It also doesn't mean much. Think "///", or "../../../".
> These are user strings. If it's an issue, better compare against
> something sane like resolved internal data structure.
>
> thanks,
> -chris
--
Serge Hallyn <serue at us.ibm.com>
More information about the Linux-audit
mailing list