From: Steve Grubb <sgrubb@redhat.com>
To: Greg KH <greg@kroah.com>
Cc: "Timothy R. Chavez" <tinytim@us.ibm.com>,
Andrew Morton <akpm@osdl.org>,
linux-audit@redhat.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
David Woodhouse <dwmw2@infradead.org>,
Mounir Bsaibes <mbsaibes@us.ibm.com>,
Serge Hallyn <serue@us.ibm.com>,
Alexander Viro <viro@parcelfarce.linux.theplanet.co.uk>,
Klaus Weidner <klaus@atsec.com>, Chris Wright <chrisw@osdl.org>,
Stephen Smalley <sds@tycho.nsa.gov>, Robert Love <rml@novell.com>,
Christoph Hellwig <hch@infradead.org>,
Daniel H Jones <danjones@us.ibm.com>,
Amy Griffis <amy.griffis@hp.com>,
Maneesh Soni <maneesh@in.ibm.com>
Subject: Re: [PATCH] audit: file system auditing based on location and name
Date: Thu, 7 Jul 2005 15:48:37 -0400 [thread overview]
Message-ID: <200507071548.37996.sgrubb@redhat.com> (raw)
In-Reply-To: <20050707190455.GA19570@kroah.com>
On Thursday 07 July 2005 15:04, Greg KH wrote:
> You are adding auditfs, a new userspace access, right?
Not sure what you mean. This is using the same netlink interface that all the
rest of the audit system is using for command and control. Nothing has
changed here. What is different is the message I send into the kernel. The
audit system dispatches it into Tim's code which in turn sets up the watch.
The notification that the event has occurred uses the same interface that all
other audit events use. Its just a different message type. It is filtered by
some attributes and if it is still of interest, the event is placed in the
queue so it is serialized with all other events.
> His email provided no documentation that I could see. Am I just missing
> something?
The auditfs code is programmed by filling out the watch_transport structure
and sending a AUDIT_WATCH_INS message type. The perms, pathlen, & keylen are
all that's filled out. The path & key are stored back to back in the payload
section. To delete, you do the same thing and send AUDIT_WATCH_REM message.
Yes, this should be added to the documentation.
> > > So the userspace package in FC4 will not use auditfs?
> >
> > Right. You get a few warnings due to missing functionality. If the kernel
> > were patched with Tim's code, it all works as expected. We have worked
> > out the user space access and that shouldn't be changing.
>
> Then what use is auditfs for if you don't need it?
But we do. You cannot audit files who's inode may change using the current
syscall techniques. I put the code into FC4 hoping that one day we will have
a kernel that supports it.
The current audit system code lets you audit by syscall, which means you can
audit open or write, but then you get it for all processes that open or
write. Or you could limit it with a pid, but that's impossible since you
would have to predict the future pid when putting the audit rule in.
Tim's code lets you say I want change notification to this file only. The
notification follows the audit format with all relavant pieces of information
gathered at the time of the event and serialized with all other events.
> Am I correct in thinking that you all need to split this patch into two
> pieces, the new inode stuff, and auditfs, as neither one has anything to
> do with the other?
It could be split to make it easier to read, but one's useless without the
other.
-Steve
next prev parent reply other threads:[~2005-07-07 19:48 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-06 16:54 [PATCH] audit: file system auditing based on location and name Timothy R. Chavez
2005-07-06 17:17 ` Greg KH
2005-07-06 20:23 ` Timothy R. Chavez
2005-07-06 23:50 ` Greg KH
2005-07-07 1:33 ` Steve Grubb
2005-07-07 18:15 ` Greg KH
2005-07-07 18:49 ` Steve Grubb
2005-07-07 19:04 ` Greg KH
2005-07-07 19:48 ` Steve Grubb [this message]
2005-07-07 21:31 ` Arjan van de Ven
2005-07-07 22:08 ` Timothy R. Chavez
2005-07-07 22:51 ` serue
2005-07-08 5:33 ` Arjan van de Ven
2005-07-08 5:48 ` James Morris
2005-07-08 17:48 ` Greg KH
2005-07-07 16:26 ` Timothy R. Chavez
2005-07-07 18:10 ` Greg KH
2005-07-07 18:16 ` David Woodhouse
2005-07-07 18:18 ` Greg KH
2005-07-07 19:49 ` Timothy R. Chavez
2005-07-08 17:46 ` Greg KH
2005-07-08 19:48 ` Timothy R. Chavez
2005-07-10 18:59 ` Greg KH
[not found] ` <OF993CB74B.E135A576-ON8725703B.00568CD6-0525703B.005814C3@us.ibm.com>
2005-07-11 17:13 ` Greg KH
2005-07-09 1:10 ` Chris Wright
2005-07-09 2:10 ` Timothy R. Chavez
2005-07-07 6:40 ` Arjan van de Ven
2005-07-07 6:50 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200507071548.37996.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=akpm@osdl.org \
--cc=amy.griffis@hp.com \
--cc=chrisw@osdl.org \
--cc=danjones@us.ibm.com \
--cc=dwmw2@infradead.org \
--cc=greg@kroah.com \
--cc=hch@infradead.org \
--cc=klaus@atsec.com \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maneesh@in.ibm.com \
--cc=mbsaibes@us.ibm.com \
--cc=rml@novell.com \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
--cc=tinytim@us.ibm.com \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).