[RFC][PATCH] (#2) Prelim in-kernel file system auditing support

Serge Hallyn serue at us.ibm.com
Tue Jan 25 23:29:13 UTC 2005


On Tue, 2005-01-25 at 21:37 +0000, David Woodhouse wrote:
> Possibly; as long as the owner of the namespace can't mount the file
> system containing it elsewhere, or 'mount --bind /etc /tmp/x' and get
> round the watch. Your method of attaching to the dentry looks like it
> works correctly in that case, but again I wanted to be sure it's by
> design, and it stays that way.

Yup, we've definately been keeping that in mind.  And the ramifications
can get subtle, so please do let us know if you find a case we
overlooked.  But as it stands, every meaningful case seems to be
handled:

	watch /etc/passwd
	chroot_ns /mnt/d6
	touch /etc/passwd

that /etc/passwd is /mnt/d6/etc/passwd, so we don't care.

	watch /etc/passwd
	mount --bind /etc /mnt/d6/etc
	chroot_ns /mnt/d6
	touch /etc/passwd

since /mnt/d6/etc is in fact /etc, we will have the right watch list,
and /mnt/d6/etc/passwd will be watched.
	watch /etc/passwd
	touch /mtn/d6/etc/passwd
	mount --bind /etc/passwd /mnt/d6/etc/passwd
	chroot_ns /mnt/d6
	touch /etc/passwd
(audited)
	rm /etc/passwd
(audited)
	touch /etc/passwd
(new file is *not* watched)

By the way, Tim, please test each case that I've mentioned here :)  I'm
just saying our design should cover them.  Please make sure!

thanks,
-serge

-- 
Serge Hallyn <serue at us.ibm.com>




More information about the Linux-audit mailing list