[RFC][PATCH] (#2) Prelim in-kernel file system auditing support

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Jan 27 05:57:03 UTC 2005


On Wed, 26 Jan 2005 23:42:10 CST, "Timothy R. Chavez" said:

> Unless, I was doing something wrong.  When I tested a watch point on
> both "/etc" and "passwd".  When I issued a "cat /etc/passwd" only a
> record for "passwd" was generated.  Then, when I did a "cat /etc", I
> received a record for "etc" -- I was only recording open() syscalls,
> however.

Ah.. Yes.. it won't call open() on /etc on the way to /etc/passwd.
There's OTHER places that you get hooks in that case.

Look around in fs/namei.c - link_path_walk ends up calling permission()
on each component of the path in turn - and permission() ends up doing all
the grunt work (file modes, ACLs, LSM, etc...)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050127/8fc388b0/attachment.sig>


More information about the Linux-audit mailing list