audit trim and audit make_equiv

audit trim and audit make_equiv

[Richard Guy Briggs]

Hi Al,

I'm trying to trigger records for all the instances of
AUDIT_CONFIG_CHANGE, but I'm having trouble with a few.

AUDIT_TRIM ("auditctl -t": Trim the subtrees after a mount command.):

My reading is that should trigger at least one message (which it does)
and potentially more depending on existing tree watches and mounts via
audit_trim_trees().  I've not been able to trigger any additional ones.
What I've tried to do to trigger additional ones is to mount a
filesystem, create a subdirectory within it, set a watch on that
subdirectory, unmount the filesystem and then run a trim command.  I've
also tried the other way around, which I didn't expect to work, creating
a subdirectory, set a watch on that subdirectory, mount a filesystem on
its parent, then run a trim command.


AUDIT_MAKE_EQUIV ("auditctl -q mount-point,subtree": Make subtree
equivalent under mount point.):

The way I read this code is it should trigger at least one message
(which it does) and potentially more depending on failures of
iterate_mounts() in audit_tag_tree().  I don't know how to trigger the
latter.  Are you able to prescribe a recipe to do so?


Any insights?  Thanks!


- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635