Re: Changes to LSM phase 1 for audit.

• Previous message: James Morris: "Re: Patch: Socket hooks"
• In reply to: richard offer: "Re: Changes to LSM phase 1 for audit."
• Next in thread: Jesse Pollard: "Re: Changes to LSM phase 1 for audit."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

richard offer  wrote:
>The rationale for using the fd in the audit record rather than the pathname
>or any arbitary number is that fd is the object handle that is being acted
>on. read() is not acting on a pathname, it acts on a fd. 

That sounds awfully philosophical to me, and I prefer the concrete.
Could you help me understand in more concrete terms why the fd is the
right thing to audit?  I could just as equally argue that the read()
is not acting on a fd, it is acting on an inode, and thus you should
log inode identifiers, not fds.  (I might even note that this would
additionally solve the problem of auditing events on file that have
since been unlinked in a natural way.)

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wagner: "Re: Changes to LSM phase 1 for audit."
• Previous message: James Morris: "Re: Patch: Socket hooks"
• In reply to: richard offer: "Re: Changes to LSM phase 1 for audit."
• Next in thread: Jesse Pollard: "Re: Changes to LSM phase 1 for audit."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 19:40:23 PDT