what's in the works

Timothy R. Chavez tinytim at us.ibm.com
Mon Mar 28 17:13:15 UTC 2005 

On Monday 28 March 2005 11:05 am, Timothy R. Chavez wrote:
> Hello,
>
> 1.  LIST WATCHES
>
> I'm just finishing up the "list watches" feature and I have a question. 
> With the current design, there is no way to tell the kernel, "give me a
> list of all watches".  Currently, a watch is a structure with these fields:
>
> name : the name of dentry->d_name that's to be watched
> filterkey : an arbitrary string no greater then 32 bytes (including
> terminating \0)
> perms : permissions filter
>
> Thus you really wouldn't know the location of these watches.  So, perhaps I
> could add a 'path' field which just kept the path I specified when the
> watch was inserted.  But, this too might be misleading (if we are to every
> change namespaces) or the administrator uses a relative path.  We
> technically do support relative paths when inserting/removing a watch (even
> though auditctl warns otherwise).  Furthermore, would this look bad when
> trying to sell this to fsdevel or LKML?
>
> So, the compromise I came up with is to add an option to auditctl, '-L'
> which would allow the admin to check the watches on a given path.  I think
> this fits decently with the idea behind this feature: to help the
> administrator remember what watches they set.  So now, it looks like this:
>
> ./auditctl -w /audit/foo
> ./auditctl -w /audit/bar
> ./auditctl -L /audit
>
> AUDIT_WATCH : LIST : /audit/foo
> AUDIT_WATCH : LIST : /audit/bar
>
> I'm working on getting the entire struct exported to userspace so we can
> also say something about the perms filter and filterkey.
>
> 2.  HOOKS
>
> So I've been experimenting around and have hooks capturing what I think is
> required by CAPP.  Klaus, when this patch is released we REALLY need your
> input and appraisal.  One of the problems we face here is that "access" can
> generate multiple records and for some reason it feels like the
> administrator would have to have some sort of knowledge of what's going on
> in the kernel that extends past intuition.  For this reason, I feel like
> perhaps I should have another field that provides some sort of context to
> the record.  So for instance, if the record was generated from a
> permissions function,  we'd set the "context" field to show that.  Is this
> a good idea?
>
> When I post the patch, I'll post it with a list of hooks and what each
> does.
>

3.  DELETE ALL WATCHES

This is something I was asked about last week because it'd be useful for the 
test team.  This should be relatively trivial to implement as a global linked 
list to all the watches.  I don't care about their locations in the 
filesystem, just that I can unlink them from their watchlists and put back 
all references so that they can be properly freed.  This will come later, 
after the next patch is out, because I really do need to get this... 
<exhibits self-control>... "darn thing", out.
 
-tim

More information about the Linux-audit mailing list