[RFC][PATCH] (#2) Prelim in-kernel file system auditing support

Timothy R. Chavez chavezt at gmail.com
Tue Jan 25 21:25:07 UTC 2005


David,

Can you ellaborate on why you think namespaces are an issue?  I'm
having a hard time understanding why this would be any more of a
problem then any other intentional subversion of the audit subsystem
by the administrator (where administrator == root).  Perhaps there is
a way for a user process to subvert the audit subsystem using
namespace trickory?

If the root user issues a "watch /etc/passwd" it will resolve to the
inode for passwd in the given namespace.  Any accesses on that inode,
in that namespace (presumably the only access we care about), by an
audited syscall will be noted and sent to userspace.  Isn't that
sufficient?

On Tue, 25 Jan 2005 20:34:04 +0000, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Tue, 2005-01-25 at 12:29 -0600, Timothy R. Chavez wrote:
> > To be honest, I haven't really considered the chroot environment.  I
> > guess the check really needs to be after the lookup and I should
> > check:
> 
> It's not just chroot. Remember that every task in the system can in
> theory have an entirely different namespace, with different file systems
> mounted at different places.
> 
> --
> dwmw2
> 
> 


-- 
- Timothy R. Chavez




More information about the Linux-audit mailing list