Re: [RFC PATCH v6 5/9] vfs: lookup_open(): move audit_inode_child() and i_op->create check to before try_break_deleg()

Next message: Andrew Lunn: "Re: [PATCH net] atm: br2684: validate IP header length before filtering"
Previous message: Jonathan Cameron: "Re: [PATCH v3] iio: chemical: scd30: Use devm_mutex_init() over non-devm mutex_init()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jori Koolstra

Date: Sun Jun 14 2026 - 14:36:24 EST

Hi Paul,

> Op 01-06-2026 18:27 CEST schreef Paul Moore <paul@xxxxxxxxxxxxxx>:
>
>
> On Sun, May 31, 2026 at 10:56 PM NeilBrown <neilb@xxxxxxxxxxx> wrote:
> >
> > I don't think this is sufficient.
> > I think (and we should confirm we people who know about auditing) that
> > the audit call should come before the permission check so that there is
> > an audit record on failed attempts. In that case the
> > audit_inode_child() all needs to be much earlier.
>
> As you likely already know, audit_inode_child() exists simply to
> record information about the file/inode access, the audit record is
> generated later (and can is dependent on other things/config). For
> that reason, yes, it's generally a good idea to call
> audit_inode_child() as soon as we have the file/inode information.
> Auditors want to know what the user/system attempted to do, even if
> the operation failed; in some cases the log of the failed operations
> are more useful than the successful ones.
>

But currently for mkdir(2), mknod(2), open(2) with O_CREAT, we are calling
audit_inode_child() twice. Once before actual creation (mostly in
may_create_dentry()), and once afterwards in fsnotify_*(). Is that the
desired behavior?

>
> --
> paul-moore.com

Best,
Jori.