[RFC][PATCH 0/2] (#6 U2) filesystem auditing
Stephen Smalley
sds at tycho.nsa.gov
Wed Mar 30 17:21:41 UTC 2005
On Wed, 2005-03-30 at 11:23 -0600, Timothy R. Chavez wrote:
> > Why MAY_WRITE|MAY_EXEC
> > here? It is true that you would have checked search permission to the
> > parent directory, but that is handled by your permission hook, and this
> > is for the newly created inode, not the directory, right?
>
> Sure, this makes sense. I can pass a "0" here.
No, MAY_WRITE is correct (write access to the newly created inode).
MAY_EXEC doesn't make sense there. That was my point.
> Hm. How about this: I watch as root, /audit/foo (an ls on /audit reveals
> that it may only be written to by root). Then, as a non-root user, I attempt
> to mv /home/chavezt/bar /audit/foo. As expected, I'll fail, but no audit
> record will be generated.
>
> The rule is that we only receive records for a watched object once that object
> is, well, watched (ie: after it's been created, before its been destroyed,
> after it's moved in to, before it's moved out of, etc). Thus, the burden of
> capturing failures is on the parent directory (which is intuitive right?).
> Doing so will generate records (from lstat, open, etc via our permissions'
> hook) about such failures. Is this reasonable?
I don't know - a question for Klaus I suppose.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list