[PATCH] filesystem location based auditing
Alexander Viro
aviro at redhat.com
Fri Feb 24 21:31:06 UTC 2006
* path_lookup() blocks. Don't do it under spinlocks; possible
approach is to do it early and pass pointer to nameidata down into
critical area.
* path_release() blocks. Dealing with path_lookup() will deal
with that - you simply do it after leaving the critical area.
* failing path_lookup() => no path_release() is needed in cleanup.
* spawning a thread blocks; FWIW, I'd try passing a list to
audit_remove_watch() and instead of kthread_... put on that list for
post-processing.
* inode number alone is not enough to compare fs objects;
several filesystems easily can have inodes with the same inode numbers.
That, BTW, gives a useful test - create a filesystem, copy it to device
of the same size with dd(1), then mount both. And try to mix watching
the corresponding places on both filesystems.
More information about the Linux-audit
mailing list