[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[PATCH 0/2] filesystem auditing: augment audit_inode


The following two patches augment the collection of inode info during
syscall processing.  They represent part of the functionality that was
provided by the auditfs patch included in RHEL4.

Specifically, they:

- Collect information for target inodes created or removed during
  syscalls.  Previous code only collects information for the target
  inode's parent.

- Add the audit_inode() hook to syscalls that operate on a file
  descriptor (e.g. fchown), enabling audit to do inode filtering for
  these calls.  

- Modify filtering code to check audit context for either an inode #
  or a parent inode # matching a given rule.

- Modify logging to provide inode # for both parent and child.

- Protect debug info from NULL audit_names.name.

Please let me know if you have any comments.  I'll note a concern of
my own in a following email.

I've done a fair amount of testing with these patches, and think it
would be good if we could start providing a test kernel for filesystem
auditing patches.  I think this should be separate from an audit-lspp
test kernel.

I based these patches off David's git tree, although the patch against
fsnotify should really be sent to the Inotify developers.  Any
thoughts on where these patches should live?  Could we have multiple
branches in David's audit git tree?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]