From mboxrd@z Thu Jan 1 00:00:00 1970 From: "zhangxiliang" Subject: RE: A question about the directory watch in audit_tree.c in kernel Date: Wed, 21 May 2008 09:47:59 +0800 Message-ID: <002501c8bae4$b3491480$2e8da70a@fnste3fa5f55c4> References: <001701c8ba16$77c11ad0$2e8da70a@fnste3fa5f55c4> <1211285172.20187.20.camel@pc070168.northgrum.com> Return-path: In-Reply-To: <1211285172.20187.20.camel@pc070168.northgrum.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: kevin.boyce@ngc.com Cc: dwmw2@infradead.org, linux-audit@redhat.com List-Id: linux-audit@redhat.com Sorry, I think my idea may be not express correctly. A example as follows: 1, mkdir test 2, touch test.c 3, auditctl -w /home/test -k 11 4, auditctl -w /home/test.c -k 11 The audit-log as follows: node=mydomain type=CONFIG_CHANGE msg=audit(1211331237.488:307618): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key="11" list=4 res=1 node=mydomain type=CONFIG_CHANGE msg=audit(1211331242.045:307619): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key="11" list=4 res=1 ==============>record the add rule operation node=mydomain type=SYSCALL msg=audit(1211331247.517:307620): arch=40000003 syscall=38 success=yes exit=0 a0=bf974b80 a1=bf974b85 a2=805a8fc a3=bf974b85 items=4 ppid=19616 pid=19895 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2689 comm="mv" exe="/bin/mv" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="11" node=mydomain type=CWD msg=audit(1211331247.517:307620): cwd="/home" node=mydomain type=PATH msg=audit(1211331247.517:307620): item=0 name="/home" inode=1532577 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 node=mydomain type=PATH msg=audit(1211331247.517:307620): item=1 name="/home" inode=1532577 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 node=mydomain type=PATH msg=audit(1211331247.517:307620): item=2 name="test" inode=1535099 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0 node=mydomain type=PATH msg=audit(1211331247.517:307620): item=3 name="test1" inode=1535099 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:user_home_dir_t:s0 ===============>record the directory changed(the information supply by kernel funtion "audit_syscall_exit") node=mydomain type=CONFIG_CHANGE msg=audit(1211331254.160:307621): op=updated rules specifying path="/home/test.c" with dev=4294967295 ino=4294967295 list=778332531 res=1 node=mydomain type=SYSCALL msg=audit(1211331254.160:307622): arch=40000003 syscall=38 success=yes exit=0 a0=bff86b7c a1=bff86b83 a2=805a8fc a3=0 items=4 ppid=19616 pid=19897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2689 comm="mv" exe="/bin/mv" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key="11" ===============>record the files changed status(the information supply by kernel inotify hook funtion "fsnotify_move") node=mydomain type=CWD msg=audit(1211331254.160:307622): cwd="/home" node=mydomain type=PATH msg=audit(1211331254.160:307622): item=0 name="/home" inode=1532577 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 node=mydomain type=PATH msg=audit(1211331254.160:307622): item=1 name="/home" inode=1532577 dev=03:06 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:home_root_t:s0 node=mydomain type=PATH msg=audit(1211331254.160:307622): item=2 name="test.c" inode=1535101 dev=03:06 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:home_root_t:s0 node=mydomain type=PATH msg=audit(1211331254.160:307622): item=3 name="test1.c" inode=1535101 dev=03:06 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:home_root_t:s0 =================>record the files changed(the information supply by kernel funtion "audit_syscall_exit") My question is why no information will be output by kernel hook funtion?(It only has some information by "audit_syscall_exit" ) when watch the directory. Correct me if I am wrong, I think when watch a directory, kernel-audit can also supply more information by kernel hook funtion as audit files watch and inotify_user. Compare the kernel code as file watch and directory watch: in auditfilter.c: /* Update watch data in audit rules based on inotify events. */ void audit_handle_ievent(struct inotify_watch *i_watch, u32 wd, u32 mask, u32 cookie, const char *dname, struct inode *inode) { struct audit_parent *parent; parent = container_of(i_watch, struct audit_parent, wdata); if (mask & (IN_CREATE|IN_MOVED_TO) && inode) audit_update_watch(parent, dname, inode->i_sb->s_dev, inode->i_ino, 0); else if (mask & (IN_DELETE|IN_MOVED_FROM)) audit_update_watch(parent, dname, (dev_t)-1, (unsigned long)-1, 1); /* inotify automatically removes the watch and sends IN_IGNORED */ else if (mask & (IN_DELETE_SELF|IN_UNMOUNT)) audit_remove_parent_watches(parent); /* inotify does not remove the watch, so remove it manually */ else if(mask & IN_MOVE_SELF) { audit_remove_parent_watches(parent); inotify_remove_watch_locked(audit_ih, i_watch); } else if (mask & IN_IGNORED) put_inotify_watch(i_watch); } in audit_tree.c: static void handle_event(struct inotify_watch *watch, u32 wd, u32 mask, u32 cookie, const char *dname, struct inode *inode) { struct audit_chunk *chunk = container_of(watch, struct audit_chunk, watch); if (mask & IN_IGNORED) { evict_chunk(chunk); put_inotify_watch(watch); } } I can found that "handle_event" in audit_tree.c has no any code with mask "IN_CREATE, IN_MOVED_TO, IN_DELETE, IN_MOVED_FROM, IN_DELETE_SELF, IN_UNMOUNT, IN_MOVE_SELF". So no information will be output by kernel hook funtion when watch a directory. -- Regards Zhang Xiliang ________________________________ From: Kevin Boyce [mailto:kevin.boyce@ngc.com] Sent: Tuesday, May 20, 2008 8:06 PM To: zhangxiliang Cc: 'Steve Grubb'; dwmw2@infradead.org; linux-audit@redhat.com Subject: Re: A question about the directory watch in audit_tree.c in kernel Correct me if I am wrong, but in doing the auditctl -w /home, the only thing that is being audited is the inode entry for the directory itself. You need to construct an explicit list of each file you want to watch. You can do this rather easily with a combination of find and awk. Regards. Kevin On Tue, 2008-05-20 at 09:11 +0800, zhangxiliang wrote: HI, When I use "auditctl -w /home" to watch a directory, nothing about the directory changed can be output. I found the "audit tree handle_event" in audit_tree.c in kernel. It implements as follows: static void handle_event(struct inotify_watch *watch, u32 wd, u32 mask, u32 cookie, const char *dname, struct inode *inode) { struct audit_chunk *chunk = container_of(watch, struct audit_chunk, watch); if (mask & IN_IGNORED) { evict_chunk(chunk); put_inotify_watch(watch); } } In "handle_event", the mask can be "IN_MOVED_FROM", "IN_MOVED_TO", "IN_DELETE_SELF", "IN_IGNORED" and so on. Why it only deals with the mask " IN_IGNORED" and ignores the other mask? -- Regards Zhang Xiliang -------------------------------------------------- Zhang Xiliang Development Dept.I Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) 8/F., Civil Defense Building, No.189 Guangzhou Road, Nanjing, 210029, China TEL: +86+25-86630566-838 COINS: 79955-838 FAX: +86+25-83317685 MAIL: zhangxiliang@cn.fujitsu.com -------------------------------------------------- This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination, distribution or copying hereof is strictly prohibited. If you have received this communication in error, please notify me by reply e-mail, permanently delete this communication from your system, and destroy any hard copies you may have printed. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit