[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6 U1) the latest incarnation



On Fri, 2005-03-25 at 12:05 -0500, Stephen Smalley wrote:
> We are only talking about post hooks to generate audit messages via
> audit_notify_watch() if the inode has previously been marked by
> audit_attach_watch().  Given your other hooks, it should already be
> possible to audit reads and writes to device nodes (since a watch should
> be possible to attach using your existing hooks in
> d_instantiate/d_splice_alias and notifications should be generated using
> your hook in permission), so why not allow auditing of creates as well?
> Given that udev makes /dev dynamic, it seems like watches might be
> important there as well, eh?

As a trivial test of the ability to audit reads and writes to device
nodes already, I did:
	auditctl -w /dev/null
and then did:
	echo hello > /dev/null
As expected, this generated an audit record.

Hence, while it may be fine to omit symlinks, I see no reason to not
include an audit_notify_watch call at the end of vfs_mknod that allows
you to generate an audit record for device creations based on name, as
you can already attach watches to device nodes and generate audit for
opens on them.

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]