Re: [PATCH] audit: file system auditing based on location and name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jul 07, 2005 at 03:48:37PM -0400, Steve Grubb wrote:
> On Thursday 07 July 2005 15:04, Greg KH wrote:
> > You are adding auditfs, a new userspace access, right?
> 
> Not sure what you mean. This is using the same netlink interface that all the 
> rest of the audit system is using for command and control. Nothing has 
> changed here. What is different is the message I send into the kernel. The 
> audit system dispatches it into Tim's code which in turn sets up the watch. 

What is auditfs for then?

> > His email provided no documentation that I could see.  Am I just missing
> > something?
> 
> The auditfs code is programmed by filling out the watch_transport structure 
> and sending a AUDIT_WATCH_INS message type. The perms, pathlen, & keylen are 
> all that's filled out. The path & key are stored back to back in the payload 
> section. To delete, you do the same thing and send AUDIT_WATCH_REM message. 
> Yes, this should be added to the documentation.

So how does userspace interact with auditfs?

> Tim's code lets you say I want change notification to this file only. The 
> notification follows the audit format with all relavant pieces of information 
> gathered at the time of the event and serialized with all other events.

That's great, and I understand the need for it.  I just see all the
duplication between this effort and inotify, and know of Tim's
reluctance to want to work with inotify, and am objecting to that.

> > Am I correct in thinking that you all need to split this patch into two
> > pieces, the new inode stuff, and auditfs, as neither one has anything to
> > do with the other?
> 
> It could be split to make it easier to read, but one's useless without the 
> other.

Ok, some documentation about auditfs would go a long way toward
understanding this...

thanks,

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux