From: Eric Paris <eparis@redhat.com>
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify
Date: Fri, 19 Jun 2009 17:03:50 -0400 [thread overview]
Message-ID: <1245445430.19333.80.camel@dhcp235-23.rdu.redhat.com> (raw)
In-Reply-To: <1245168590.4771.20.camel@klausk.localdomain>
On Tue, 2009-06-16 at 13:09 -0300, Klaus Heinrich Kiwi wrote:
> On Tue, 2009-06-16 at 11:43 -0400, Eric Paris wrote:
> > Note that audit watches don't use inotify to do any of the actual
> > auditing. They just use inotify to discover the watched files were
> > created or removed. So we weren't using much of the inotify feature
> > set.
>
> Eric,
>
> thanks for the thorough explanation.
>
> It's been a while since I last looked, but the file watches are being
> audited at the syscall level, right? So inotify/fsnotify is used to
> associate a filename to an inode when the file is created, or to
> deassociate when it is removed. Is the rename/mv also covered by those
> or differently? I remember that moving a file around doesn't invalidate
> it's rule (the file's inode is still the same), but auditctl -l doesn't
> follow the name around, for example.
>
> But that's also probably the right thing to do in that case, I'm not
> sure.
So fsnotify and inotify are the same in these regards. Basically a
watch is really on a "directory inode + a name" it's easiest to explain
what goes on in examples.
-F path=/tmp/dir1/file1 so the inotify/fsnotify watch is attached to
the /tmp/dir1 inode. We also maintain that what we care about is
"file1"
If you mv /tmp/dir1 to /tmp/dir2 the rule is deleted from the system
(and an audit config change record is written in the logs)
If instead you create /tmp/dir1/file1 we get a notification, update the
lists with the new inode number for /tmp/dir1/file1 and at syscall exit
will output a record if the /tmp/dir1/file1 was accessed.
If you delete /tmp/dir1/file1 or move it to /tmp/dir1/file2 we will
update the lists with the fact that there is no inode
for /tmp/dir1/file1 and so when a syscall exits it will not obviously
not find that it needs to output a record.
So we handle add/remove/mv of the actual file of a watch as would be
expected. If the file this syscall accessed was called [blah] at
syscall exit we will emit a watch. If the file wasn't called [blah] we
won't. The only thing interested is removing or moving the parent
directory, which actually removes the whole rule never to return.
-Eric
prev parent reply other threads:[~2009-06-19 21:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-12 20:31 [PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify Eric Paris
2009-06-12 20:32 ` [PATCH 2/7] audit: redo audit watch locking and refcnt in light of fsnotify Eric Paris
2009-06-12 20:32 ` [PATCH 3/7] audit: do not get and put just to free a watch Eric Paris
2009-06-12 20:32 ` [PATCH 4/7] fsnotify: duplicate fsnotify_mark_entry data between 2 marks Eric Paris
2009-06-12 20:32 ` [PATCH 5/7] fsnotify: allow addition of duplicate fsnotify marks Eric Paris
2009-06-12 20:32 ` [PATCH 6/7] audit: reimplement audit_trees using fsnotify rather than inotify Eric Paris
2009-06-12 20:32 ` [PATCH 7/7] audit: move audit to a subdirectory Eric Paris
2009-06-16 15:25 ` [PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify Klaus Heinrich Kiwi
2009-06-16 15:43 ` Eric Paris
2009-06-16 16:09 ` Klaus Heinrich Kiwi
2009-06-19 21:03 ` Eric Paris [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1245445430.19333.80.camel@dhcp235-23.rdu.redhat.com \
--to=eparis@redhat.com \
--cc=klausk@linux.vnet.ibm.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox