[RFC][PATCH] auditfs userspace
Timothy R. Chavez
chavezt at gmail.com
Tue Mar 8 15:14:37 UTC 2005
On Tue, 8 Mar 2005 09:29:19 -0500, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday 07 March 2005 18:00, Timothy R. Chavez wrote:
> > Here's the userspace patch for audit-0.6.5 -- It doesn't work as is.
> >
> > So please break..er test my code :)
>
> Shouldn't these defines come from the kernel header?
>
> diff -Nurp audit-0.6.5/src/auditctl.c audit-0.6.5-scratch/src/auditctl.c
> --- audit-0.6.5/src/auditctl.c 2005-03-03 10:11:00.000000000 -0600
> +++ audit-0.6.5-scratch/src/auditctl.c 2005-03-07 15:56:19.000000000 -0600
> @@ -49,6 +49,14 @@
> */
> #define LINE_SIZE 1600
>
> +#define WATCH_MAY_EXEC 1
> +#define WATCH_MAY_WRITE 2
> +#define WATCH_MAY_READ 4
> +#define WATCH_MAY_APPEND 8
> +
> +#define WATCH_NAME 1
> +#define WATCH_FILTERKEY 2
> +#define WATCH_PERMS 3
>
> Also, just a little design comment, do we really need to have an enable for fs
> auditing? Isn't there an implicit enabling by virtue of either having watches
> or not having them?
>
> Also, should there be a #ifdef CONFIG_AUDITFILESYSTEM? Shouldn't it be part of
> the audit system? The audit ipc patch, for example, didn't declare itself
> separately configurable.
>
> -Steve
The bottom define's are simply used by the audit_watch_setup function
in userspace to figure out what part of the watch to setup. There's
no reason for them to be in the kernel. . The auditfs piece does not
use the top four macros at all so I see no reason for them to be in
kernel space either. These values come from include/linux/fs.h and I
thought it'd be easiest just to mirror them in userspace by copying
them over.
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list