From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Woodhouse Subject: Re: [PATCH] audit: file system auditing based on location and name Date: Thu, 07 Jul 2005 19:16:35 +0100 Message-ID: <1120760195.8058.223.camel@baythorne.infradead.org> References: <1120668881.8328.1.camel@localhost> <200507061523.11468.tinytim@us.ibm.com> <20050706235008.GA9985@kroah.com> <200507071126.52375.tinytim@us.ibm.com> <20050707181055.GA21072@kroah.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Cc: "Timothy R. Chavez" , Andrew Morton , linux-audit@redhat.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Mounir Bsaibes , Steve Grubb , Serge Hallyn , Alexander Viro , Klaus Weidner , Chris Wright , Stephen Smalley , Robert Love , Christoph Hellwig , Daniel H Jones , Amy Griffis , Maneesh Soni Return-path: Received: from baythorne.infradead.org ([81.187.226.107]:60881 "EHLO baythorne.infradead.org") by vger.kernel.org with ESMTP id S261542AbVGGSQr (ORCPT ); Thu, 7 Jul 2005 14:16:47 -0400 To: Greg KH In-Reply-To: <20050707181055.GA21072@kroah.com> Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Thu, 2005-07-07 at 11:10 -0700, Greg KH wrote: > Yes, and then I change namespaces to put /etc/shadow at > /foo/baz/etc/shadow and then access it that way? Will the current > audit system fail to catch that access? The watch is attached to the inode which you happened to call '/etc' in your namespace, and takes effect in _any_ namespace regardless of the path to it. In the audit trail, you see the path which was used in the audited process's namespace, and also the filter key which was associated with that watch when you added it. -- dwmw2