From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: -F dir=/nfs/path ?
Date: Fri, 06 Jul 2012 14:18:41 -0400
Message-ID: <1808076.PZP4QESpkR@x2>
References: <CALnj_=4EY1wuC0_NnGAW4SdcJr7nNwKbsti528JvrzQwY0UFwQ@mail.gmail.com>
	<CALnj_=7NU-wXti3k=Fb0zRFOi_3BOOtWA3jbrzeGTaPkDRwn2w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CALnj_=7NU-wXti3k=Fb0zRFOi_3BOOtWA3jbrzeGTaPkDRwn2w@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, June 27, 2012 09:14:04 AM Peter Moody wrote:
> Did some digging and this is my understanding. Please correct me if
> I'm grossly mistaken.
> 
> -F dir=foo is a tree rule, not a watch rule.

Correct.


> At syscall exit time, audit_filter_syscall is called which checks the
> parameters of
> the syscall against each of the installed rules.
> 
> When it gets to the dir rule, it checks to see if the 'tree'
> associated with the given
> task matches the 'associated' with the rule, basically walking up the
> path from '/' to
> the end to see if it matches the given rule tree.
> 
> There should be no extra nfs traffic, and there should be no blowing
> up of inotify/fsnotify watch lists for something like this.
> 
> kernel callpath:
> call __audit_syscall_exit arch/x86/kernel/entry_32|64.S
>  __audit_free kernel/auditsc.c:1752
>  audit_get_context kernel/auditsc.c:957
>   audit_filter_syscall kernel/auditsc.c:877
>    audit_filter_rules kernel/auditsc.c:603
>     match_tree_refs kernel/auditsc.c:444
>      audit_tree_match kernel/audit_tree.c:198
> 
> Does that sound right?

I'm not sure NFS is supported. I don't remember the reason as its been a long 
time. But if you have NFS for a home dir, then it should be easy to test.

-Steve

 
> On Tue, Jun 26, 2012 at 11:01 AM, Peter Moody <pmoody@google.com> wrote:
> > How does auditd perform on a rule like the following, assuming that
> > /home/ is an nfs mount?
> > 
> > -a exit,always -F arch=b64 -S open -F dir=/home/ -F a2&2 -F success=1
> > -C euid!=obj_uid -k
> > 
> > Does this become a watch rule (and to watch rules even work with nfs)?
> > Assuming that the mount map for /home/ is giant (several K entries),
> > does this run the risk of filling fsnotify (inotify?) watch lists?
> > 
> > Cheers,
> > peter
> > 
> > --
> > Peter Moody      Google    1.650.253.7306
> > Security Engineer  pgp:0xC3410038