[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support


First, a note on previous discussion..

So I was just fixing a bug and I took a look at why I wasn't
generating a record for both "etc" and "passwd" if they were both
being watched and I issued a "cat /etc/paswd"

When I took a look, I saw that permission() isn't called on "etc", but
instead exec_permission_lite() is.  Once I hooked this function, I got
the expected audit records for both "etc" and "passwd"

I will release patch #3 most likely tommorow which addresses comments,
bugs, etc on patch #2.  I've yet to talk to Chris about the possible
bug he sees in d_move(), but hope to resolve that soon and have any
needed changes in patch #4.

Patch #4 will mostly introduce new features (and include any bug
fixes, comments, nits on patch #3).  Primarily the ability to
enable/disable the filesystem auditing dynamically (from userspace),
attaching a permissions bitmask to watch points, and a revision on the
audit_data preallocation mechanism.  I also hope to be able to release
a usespace patch to auditctl so that the code can be functionally
tested by people other then myself.

Thanks all!

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]