Re: [PATCH] audit: file system auditing based on location and name

From: David Woodhouse
Date: Thu Jul 07 2005 - 13:19:09 EST

Next message: Greg KH: "Re: [PATCH] audit: file system auditing based on location and name"
Previous message: Greg KH: "Re: [PATCH] audit: file system auditing based on location and name"
In reply to: Greg KH: "Re: [PATCH] audit: file system auditing based on location and name"
Next in thread: Greg KH: "Re: [PATCH] audit: file system auditing based on location and name"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2005-07-07 at 11:10 -0700, Greg KH wrote:
> Yes, and then I change namespaces to put /etc/shadow at
> /foo/baz/etc/shadow and then access it that way? Will the current
> audit system fail to catch that access?

The watch is attached to the inode which you happened to call '/etc' in
your namespace, and takes effect in _any_ namespace regardless of the
path to it.

In the audit trail, you see the path which was used in the audited
process's namespace, and also the filter key which was associated with
that watch when you added it.

--
dwmw2

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "Re: [PATCH] audit: file system auditing based on location and name"
Previous message: Greg KH: "Re: [PATCH] audit: file system auditing based on location and name"
In reply to: Greg KH: "Re: [PATCH] audit: file system auditing based on location and name"
Next in thread: Greg KH: "Re: [PATCH] audit: file system auditing based on location and name"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]