From mboxrd@z Thu Jan 1 00:00:00 1970 From: Klaus Heinrich Kiwi Subject: Re: [PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify Date: Tue, 16 Jun 2009 13:09:49 -0300 Message-ID: <1245168590.4771.20.camel@klausk.localdomain> References: <20090612203159.12332.42771.stgit@paris.rdu.redhat.com> <1245165908.4771.2.camel@klausk.localdomain> <1245167038.2848.25.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1245167038.2848.25.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tue, 2009-06-16 at 11:43 -0400, Eric Paris wrote: > Note that audit watches don't use inotify to do any of the actual > auditing. They just use inotify to discover the watched files were > created or removed. So we weren't using much of the inotify feature > set. Eric, thanks for the thorough explanation. It's been a while since I last looked, but the file watches are being audited at the syscall level, right? So inotify/fsnotify is used to associate a filename to an inode when the file is created, or to deassociate when it is removed. Is the rename/mv also covered by those or differently? I remember that moving a file around doesn't invalidate it's rule (the file's inode is still the same), but auditctl -l doesn't follow the name around, for example. But that's also probably the right thing to do in that case, I'm not sure. -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center