[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Serge Hallyn
serue at us.ibm.com
Tue Jan 25 23:29:13 UTC 2005
On Tue, 2005-01-25 at 21:37 +0000, David Woodhouse wrote:
> Possibly; as long as the owner of the namespace can't mount the file
> system containing it elsewhere, or 'mount --bind /etc /tmp/x' and get
> round the watch. Your method of attaching to the dentry looks like it
> works correctly in that case, but again I wanted to be sure it's by
> design, and it stays that way.
Yup, we've definately been keeping that in mind. And the ramifications
can get subtle, so please do let us know if you find a case we
overlooked. But as it stands, every meaningful case seems to be
handled:
watch /etc/passwd
chroot_ns /mnt/d6
touch /etc/passwd
that /etc/passwd is /mnt/d6/etc/passwd, so we don't care.
watch /etc/passwd
mount --bind /etc /mnt/d6/etc
chroot_ns /mnt/d6
touch /etc/passwd
since /mnt/d6/etc is in fact /etc, we will have the right watch list,
and /mnt/d6/etc/passwd will be watched.
watch /etc/passwd
touch /mtn/d6/etc/passwd
mount --bind /etc/passwd /mnt/d6/etc/passwd
chroot_ns /mnt/d6
touch /etc/passwd
(audited)
rm /etc/passwd
(audited)
touch /etc/passwd
(new file is *not* watched)
By the way, Tim, please test each case that I've mentioned here :) I'm
just saying our design should cover them. Please make sure!
thanks,
-serge
--
Serge Hallyn <serue at us.ibm.com>
More information about the Linux-audit
mailing list