• Amy Griffis's avatar
    [PATCH] Collect more inode information during syscall processing. · 73241ccc
    Amy Griffis authored
    This patch augments the collection of inode info during syscall
    processing. It represents part of the functionality that was provided
    by the auditfs patch included in RHEL4.
    
    Specifically, it:
    
    - Collects information for target inodes created or removed during
      syscalls.  Previous code only collects information for the target
      inode's parent.
    
    - Adds the audit_inode() hook to syscalls that operate on a file
      descriptor (e.g. fchown), enabling audit to do inode filtering for
      these calls.
    
    - Modifies filtering code to check audit context for either an inode #
      or a parent inode # matching a given rule.
    
    - Modifies logging to provide inode # for both parent and child.
    
    - Protect debug info from NULL audit_names.name.
    
    [AV: folded a later typo fix from the same author]
    Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
    Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    73241ccc
audit.h 13.6 KB