[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Jan 27 05:57:03 UTC 2005
On Wed, 26 Jan 2005 23:42:10 CST, "Timothy R. Chavez" said:
> Unless, I was doing something wrong. When I tested a watch point on
> both "/etc" and "passwd". When I issued a "cat /etc/passwd" only a
> record for "passwd" was generated. Then, when I did a "cat /etc", I
> received a record for "etc" -- I was only recording open() syscalls,
> however.
Ah.. Yes.. it won't call open() on /etc on the way to /etc/passwd.
There's OTHER places that you get hooks in that case.
Look around in fs/namei.c - link_path_walk ends up calling permission()
on each component of the path in turn - and permission() ends up doing all
the grunt work (file modes, ACLs, LSM, etc...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050127/8fc388b0/attachment.sig>
More information about the Linux-audit
mailing list