[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support

On Tue, 2005-01-25 at 15:25 -0600, Timothy R. Chavez wrote:
> Can you ellaborate on why you think namespaces are an issue?  I'm
> having a hard time understanding why this would be any more of a
> problem then any other intentional subversion of the audit subsystem
> by the administrator (where administrator == root).  Perhaps there is
> a way for a user process to subvert the audit subsystem using
> namespace trickory?

I'm not sure it's a _problem_ but I just wanted to make sure you bear it
in mind.

> If the root user issues a "watch /etc/passwd" it will resolve to the
> inode for passwd in the given namespace.  Any accesses on that inode,
> in that namespace (presumably the only access we care about), by an
> audited syscall will be noted and sent to userspace.  Isn't that
> sufficient?

Possibly; as long as the owner of the namespace can't mount the file
system containing it elsewhere, or 'mount --bind /etc /tmp/x' and get
round the watch. Your method of attaching to the dentry looks like it
works correctly in that case, but again I wanted to be sure it's by
design, and it stays that way.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]