[RFC][PATCH] auditfs userspace
Steve Grubb
sgrubb at redhat.com
Tue Mar 8 14:29:19 UTC 2005
On Monday 07 March 2005 18:00, Timothy R. Chavez wrote:
> Here's the userspace patch for audit-0.6.5 -- It doesn't work as is.
>
> So please break..er test my code :)
Shouldn't these defines come from the kernel header?
diff -Nurp audit-0.6.5/src/auditctl.c audit-0.6.5-scratch/src/auditctl.c
--- audit-0.6.5/src/auditctl.c 2005-03-03 10:11:00.000000000 -0600
+++ audit-0.6.5-scratch/src/auditctl.c 2005-03-07 15:56:19.000000000 -0600
@@ -49,6 +49,14 @@
*/
#define LINE_SIZE 1600
+#define WATCH_MAY_EXEC 1
+#define WATCH_MAY_WRITE 2
+#define WATCH_MAY_READ 4
+#define WATCH_MAY_APPEND 8
+
+#define WATCH_NAME 1
+#define WATCH_FILTERKEY 2
+#define WATCH_PERMS 3
Also, just a little design comment, do we really need to have an enable for fs
auditing? Isn't there an implicit enabling by virtue of either having watches
or not having them?
Also, should there be a #ifdef CONFIG_AUDITFILESYSTEM? Shouldn't it be part of
the audit system? The audit ipc patch, for example, didn't declare itself
separately configurable.
-Steve
More information about the Linux-audit
mailing list