[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Serge Hallyn
serue at us.ibm.com
Tue Jan 25 23:14:57 UTC 2005
On Tue, 2005-01-25 at 15:44 -0600, Timothy R. Chavez wrote:
> On Tue, 25 Jan 2005 16:46:54 -0600, Serge Hallyn <serue at us.ibm.com> wrote:
> > On Tue, 2005-01-25 at 15:25 -0600, Timothy R. Chavez wrote:
> > > Any accesses on that inode,
> > > in that namespace (presumably the only access we care about), by an
> > > audited syscall will be noted and sent to userspace. Isn't that
> > > sufficient?
> >
> > Not quite right: Any access to that inode from any namespace. Another
> > namespace might simply mean that you have a different path to the inode.
> >
>
> Alright, I see better now the concern. But because the audit
> information is associated with the inode via an administrator action,
> it still remains true that any access to that inode will be caught,
> from any namespace. Correct?
Exactly.
> I guess the assumption here is that the administrator knows that
> he/she is in the right namespace when adding/removing watches so that
> they tag the appropriate inodes.
Exactly.
--
Serge Hallyn <serue at us.ibm.com>
More information about the Linux-audit
mailing list