[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support



On Wed, 26 Jan 2005 23:42:10 CST, "Timothy R. Chavez" said:

> Unless, I was doing something wrong.  When I tested a watch point on
> both "/etc" and "passwd".  When I issued a "cat /etc/passwd" only a
> record for "passwd" was generated.  Then, when I did a "cat /etc", I
> received a record for "etc" -- I was only recording open() syscalls,
> however.

Ah.. Yes.. it won't call open() on /etc on the way to /etc/passwd.
There's OTHER places that you get hooks in that case.

Look around in fs/namei.c - link_path_walk ends up calling permission()
on each component of the path in turn - and permission() ends up doing all
the grunt work (file modes, ACLs, LSM, etc...)


Attachment: pgp00007.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]