From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexander Viro Subject: Re: close(2) not being audited? Date: Fri, 26 Jan 2007 18:29:10 -0500 Message-ID: <20070126232910.GH14621@devserv.devel.redhat.com> References: <200701261237.40345.sgrubb@redhat.com> <20070126221933.GF14621@devserv.devel.redhat.com> <20070126170112.6ac08156@crumpet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: <20070126170112.6ac08156@crumpet> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Timothy R. Chavez" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, Jan 26, 2007 at 05:01:12PM -0600, Timothy R. Chavez wrote: > > What do you want in the log? More specifically, _when_ do you want it? > > Write out a log when the last reference to the fd is put back... whether > that's from a close or an munmap. BTW... Consider the following: threads A and B share descriptor table. Their stdin is a terminal. Apr 1: thread A calls read(0, buf, 512); Apr 2: thread B does close(0); May 1: user hits enter After Apr 2 we'll have descriptor 0 closed. Thread A is still sitting in read() and it couldn't care less about descriptors. The file is still opened, even though all descriptors are gone. On May 1 read() in thread A finally completes. Upon exit from read() we give up a reference to file, so it finally gets closed. IOW, you'll get "it's been closed by read(2)" in logs. The same may apply to any system call doing file IO. So userland would better not assume that something recognizable is doing that...