From mboxrd@z Thu Jan 1 00:00:00 1970 From: Serge Hallyn Subject: Re: [RFC][PATCH] (#3) file system auditing Date: Thu, 28 Apr 2005 16:50:02 -0500 Message-ID: <1114725002.25299.8.camel@serge> References: <1114549486.8169.57.camel@localhost> <20050426232819.GA11810@infradead.org> <1114720285.6554.88.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Cc: Christoph Hellwig , linux-fsdevel@vger.kernel.org Return-path: Received: from e33.co.us.ibm.com ([32.97.110.131]:46303 "EHLO e33.co.us.ibm.com") by vger.kernel.org with ESMTP id S262257AbVD1VqF (ORCPT ); Thu, 28 Apr 2005 17:46:05 -0400 Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com [9.17.195.11]) by e33.co.us.ibm.com (8.12.10/8.12.9) with ESMTP id j3SLk34I338586 for ; Thu, 28 Apr 2005 17:46:04 -0400 Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167]) by westrelay02.boulder.ibm.com (8.12.10/NCO/VER6.6) with ESMTP id j3SLk3YQ350178 for ; Thu, 28 Apr 2005 15:46:03 -0600 Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1]) by d03av01.boulder.ibm.com (8.12.11/8.13.3) with ESMTP id j3SLk2Dj027623 for ; Thu, 28 Apr 2005 15:46:03 -0600 To: "Timothy R. Chavez" In-Reply-To: <1114720285.6554.88.camel@localhost> Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Thu, 2005-04-28 at 15:31 -0500, Timothy R. Chavez wrote: > On Wed, 2005-04-27 at 00:28 +0100, Christoph Hellwig wrote: > > On Tue, Apr 26, 2005 at 04:04:46PM -0500, Timothy R. Chavez wrote: > > > Hello, > > > > > > The audit subsystem is currently incapable of auditing a file system > > > object based on its location and name. > > > > Hello Christoph, > > I apologize for the delay in my response. Thank you for your response. > I'll try to be succinct. > > > Which doesn't make sense in our world of per-process namespaces. AFAICT, it does so long as we are trying to audit non-admin users. I may be in a different namespace from the admin, but so long only the admin can mount over /etc, the auditing should still happen. An admin can mess us up by mounting /root/dummy/etc on top of /etc, but we expect the admin to know what he is doing. Note that this patch is not auditing based on full pathname. It audits based on the parent directory and filename. So even if /etc is bind mounted onto /mnt/root/etc, accessing /mnt/root/etc/passwd will still trigger an audit entry. Am I missing something? How do namespaces mess this up? thanks, -serge -- Serge Hallyn