From mboxrd@z Thu Jan  1 00:00:00 1970
From: James Antill <jantill@redhat.com>
Subject: Re: close(2) not being audited?
Date: Sun, 28 Jan 2007 16:40:56 -0500
Message-ID: <1170020456.26475.6.camel@code.and.org>
References: <C482FF98AE985A47B8C982FD429C9E3401370D58@daytonmsg2k3.AERO.BALL.COM>
	<200701261237.40345.sgrubb@redhat.com>
	<FC11D747323EB24493CDC753367EEB92019FA4D3@aplesnation.dom1.jhuapl.edu>
	<20070126221933.GF14621@devserv.devel.redhat.com>
	<20070126170112.6ac08156@crumpet>
	<20070126232051.GG14621@devserv.devel.redhat.com>
	<20070126174625.3f26c955@crumpet>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1748418952=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20070126174625.3f26c955@crumpet>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Timothy R. Chavez" <tinytim@us.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============1748418952==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-QYZLVC+ZeazEwEqQFLwF"


--=-QYZLVC+ZeazEwEqQFLwF
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Fri, 2007-01-26 at 17:46 -0600, Timothy R. Chavez wrote:

> Yep, I was referring to last reference to opened file.
>=20
> I'd hate to suggest adding a field to the file like "opened_as" which wou=
ld
> store the original fd it was assigned, but that would be enough to associ=
ate
> the open() record and the final "close" record.


fd1 =3D open(...);
ptr1 =3D mmap(fd1, ...);
close(fd1);

fd2 =3D open(...);
assert(fd1 =3D=3D fd2);
ptr2 =3D mmap(fd2, ...);
close(fd2);

munmap(ptr1, ...);
munmap(ptr2, ...);

...what should appear in the logs here? How are you going to tell which
fd each munmap() belongs to?
 Maybe you mean "log inode/device for the file" and not "original fd",
and then if/when you get confused it doesn't matter?

--=20
James Antill <jantill@redhat.com>

--=-QYZLVC+ZeazEwEqQFLwF
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBFvRho11eXTEMrxtQRArjQAJ0Xe9ohli/u39JkRo5cvQzHIYqmugCgh8wM
+WyyLTSM+uwaodkr0orApP8=
=iTuK
-----END PGP SIGNATURE-----

--=-QYZLVC+ZeazEwEqQFLwF--


--===============1748418952==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1748418952==--