From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Timothy R. Chavez" Subject: Re: close(2) not being audited? Date: Fri, 26 Jan 2007 18:03:22 -0600 Message-ID: <20070126180322.74db01da@crumpet> References: <200701261237.40345.sgrubb@redhat.com> <20070126221933.GF14621@devserv.devel.redhat.com> <20070126170112.6ac08156@crumpet> <20070126232910.GH14621@devserv.devel.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20070126232910.GH14621@devserv.devel.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Alexander Viro Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, 26 Jan 2007 18:29:10 -0500 Alexander Viro wrote: > On Fri, Jan 26, 2007 at 05:01:12PM -0600, Timothy R. Chavez wrote: > > > What do you want in the log? More specifically, _when_ do you want it? > > > > Write out a log when the last reference to the fd is put back... whether > > that's from a close or an munmap. > > BTW... Consider the following: threads A and B share descriptor table. > Their stdin is a terminal. > Apr 1: thread A calls read(0, buf, 512); > Apr 2: thread B does close(0); > May 1: user hits enter > > After Apr 2 we'll have descriptor 0 closed. Thread A is still sitting in > read() and it couldn't care less about descriptors. The file is still > opened, even though all descriptors are gone. > > On May 1 read() in thread A finally completes. Upon exit from read() > we give up a reference to file, so it finally gets closed. > > IOW, you'll get "it's been closed by read(2)" in logs. The same > may apply to any system call doing file IO. So userland would better > not assume that something recognizable is doing that... That seems perfectly reasonable to me. -tim