Re: [RFC][PATCH] filesystem auditing by location+name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jun 11, 2005 at 11:55:11AM -0500, Timothy R. Chavez wrote:
> 1) Coverage
> 
> Inotify is only interested in a portion of the fs ops that we are interested 
> in.  Most notably, we need the ability to generate records every time the 
> [exec_]permission[_lite]() function is called.

That still means you could use the same infrastructure and now forward
these events to inotify-ish clients, right?

> 2) Processing
> 
> The processing of events has to occur in the kernel, not in user space.  
> Inotify collects events and tosses them back over the fence for processing.  
> We cannot introduce any window of opportunity for audit subversion.

still means it could be a client to the same core event processing code
and filesystem hooks, right?

> 
> You see, auditfs is interested in the inode at location+name, whatever it may 
> be when the auditable event occurs.  Thus, we've had to hook dcache to help 
> us with this processing.  This is something Inotify does not care about nor 
> should it.

Nor should the auditing code.  There's no way to find a good name for an
inode _at all_, and only the last pathname component for a dentry.  If you
try anything else your code is broken and will not get anywhere the mainline
kernel.

> 3) Queue
> 
> Depending on the work, there may be a requirement that no audit record can be 
> lost.  The message queue structure of inotify has the potential to overflow 
> and drop events.  This is a no-go for us, but perfectly reasonable for 
> inotify.
> 
> To make this work for us we'd have to hook the queueing functions to forward 
> events on to the audit subsystem.  This would basically mean fitting a system 
> that has been designed for interaction with userspace to also have 
> interaction with other parts of the kernel... again, hackish.

Or build inotify ontop of your system.  It's not like inotify is perfect
as-is (it's not, the userland interface is extremly horrible)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux