summaryrefslogtreecommitdiffstats
path: root/init
diff options
context:
space:
mode:
authorAmy Griffis <amy.griffis@hp.com>2006-04-07 22:55:56 +0200
committerAl Viro <viro@zeniv.linux.org.uk>2006-06-20 11:25:27 +0200
commitf368c07d7214a7c41dfceb76c8db473b850f0229 (patch)
treee3f1e2d1a6ffbe61bf99ece51b906654728db4c9 /init
parent[PATCH] Audit of POSIX Message Queue Syscalls v.2 (diff)
downloadlinux-f368c07d7214a7c41dfceb76c8db473b850f0229.tar.xz
linux-f368c07d7214a7c41dfceb76c8db473b850f0229.zip
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent directories of paths specified in audit rules. When audit's inotify event handler is called, it updates any affected rules based on the filesystem event. If the parent directory is renamed, removed, or its filesystem is unmounted, audit removes all rules referencing that inotify watch. To keep things simple, this implementation limits location-based auditing to the directory entries in an existing directory. Given a path-based rule for /foo/bar/passwd, the following table applies: passwd modified -- audit event logged passwd replaced -- audit event logged, rules list updated bar renamed -- rule removed foo renamed -- untracked, meaning that the rule now applies to the new location Audit users typically want to have many rules referencing filesystem objects, which can significantly impact filtering performance. This patch also adds an inode-number-based rule hash to mitigate this situation. The patch is relative to the audit git tree: http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary and uses the inotify kernel API: http://lkml.org/lkml/2006/6/1/145 Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'init')
-rw-r--r--init/Kconfig3
1 files changed, 2 insertions, 1 deletions
diff --git a/init/Kconfig b/init/Kconfig
index 3b36a1d53656..c4d0fa655d5d 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -182,7 +182,8 @@ config AUDITSYSCALL
help
Enable low-overhead system-call auditing infrastructure that
can be used independently or with another kernel subsystem,
- such as SELinux.
+ such as SELinux. To use audit's filesystem watch feature, please
+ ensure that INOTIFY is configured.
config IKCONFIG
bool "Kernel .config support"