[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 25 13:28:08 UTC 2005
On Fri, 2005-03-25 at 08:04 -0500, Stephen Smalley wrote:
> With regard to additional hook placement for audit_notify_watch, I think
> you likely do want to mirror the security*_post* hooks for file creation
> (create, mkdir, mknod, symlink), rename, and link with
> audit_notify_watch calls to perform notifications of such events. Then
> you keep audit_attach_watch calls in the dcache routines to manage the
> i_audit fields and avoid races. However, I think you need to check
> whether you truly need all of the current hook placements in the dcache
> routines or whether some of them are duplicative on the same code path,
> e.g. do you need both __d_lookup and d_instantiate/d_splice_alias
> hooked?
I don't see what the __d_lookup hook buys you, can you explain? The
d_instantiate and d_splice_alias hooks ensure that you attach watches to
inodes when they are looked up or created before they can be accessed by
another thread via the dcache (since you call the hook before releasing
the dcache lock). What do you need the __d_lookup hook for?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list