[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 25 17:05:54 UTC 2005
On Fri, 2005-03-25 at 11:07 -0600, Timothy R. Chavez wrote:
> I'm not entirely sure we should hook mknod or symlink. We're not making any
> claims about the watchability of a device, or symlink with this code. Do you
> agree?
We are only talking about post hooks to generate audit messages via
audit_notify_watch() if the inode has previously been marked by
audit_attach_watch(). Given your other hooks, it should already be
possible to audit reads and writes to device nodes (since a watch should
be possible to attach using your existing hooks in
d_instantiate/d_splice_alias and notifications should be generated using
your hook in permission), so why not allow auditing of creates as well?
Given that udev makes /dev dynamic, it seems like watches might be
important there as well, eh?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list