[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Timothy R. Chavez
chavezt at gmail.com
Tue Jan 25 21:44:18 UTC 2005
On Tue, 25 Jan 2005 16:46:54 -0600, Serge Hallyn <serue at us.ibm.com> wrote:
> On Tue, 2005-01-25 at 15:25 -0600, Timothy R. Chavez wrote:
> > Any accesses on that inode,
> > in that namespace (presumably the only access we care about), by an
> > audited syscall will be noted and sent to userspace. Isn't that
> > sufficient?
>
> Not quite right: Any access to that inode from any namespace. Another
> namespace might simply mean that you have a different path to the inode.
>
Alright, I see better now the concern. But because the audit
information is associated with the inode via an administrator action,
it still remains true that any access to that inode will be caught,
from any namespace. Correct?
I guess the assumption here is that the administrator knows that
he/she is in the right namespace when adding/removing watches so that
they tag the appropriate inodes.
> --
> Serge Hallyn <serue at us.ibm.com>
>
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list