[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH 0/2] (#6 U2) filesystem auditing

On Wed, 2005-03-30 at 11:23 -0600, Timothy R. Chavez wrote:
> > here?  It is true that you would have checked search permission to the
> > parent directory, but that is handled by your permission hook, and this
> > is for the newly created inode, not the directory, right?
> Sure, this makes sense.  I can pass a "0" here.

No, MAY_WRITE is correct (write access to the newly created inode).
MAY_EXEC doesn't make sense there.  That was my point.

> Hm.  How about this:  I watch as root, /audit/foo (an ls on /audit reveals 
> that it may only be written to by root).  Then, as a non-root user, I attempt 
> to mv /home/chavezt/bar /audit/foo.  As expected, I'll fail, but no audit 
> record will be generated.  
> The rule is that we only receive records for a watched object once that object 
> is, well, watched (ie: after it's been created, before its been destroyed, 
> after it's moved in to, before it's moved out of, etc).  Thus, the burden of 
> capturing failures is on the parent directory (which is intuitive right?).  
> Doing so will generate records (from lstat, open, etc via our permissions' 
> hook) about such failures.  Is this reasonable?

I don't know - a question for Klaus I suppose.

Stephen Smalley <sds tycho nsa gov>
National Security Agency

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]