• Richard Guy Briggs's avatar
    audit: clean simple fsnotify implementation · 7f492942
    Richard Guy Briggs authored
    This is to be used to audit by executable path rules, but audit watches should
    be able to share this code eventually.
    
    At the moment the audit watch code is a lot more complex.  That code only
    creates one fsnotify watch per parent directory.  That 'audit_parent' in
    turn has a list of 'audit_watches' which contain the name, ino, dev of
    the specific object we care about.  This just creates one fsnotify watch
    per object we care about.  So if you watch 100 inodes in /etc this code
    will create 100 fsnotify watches on /etc.  The audit_watch code will
    instead create 1 fsnotify watch on /etc (the audit_parent) and then 100
    individual watches chained from that fsnotify mark.
    
    We should be able to convert the audit_watch code to do one fsnotify
    mark per watch and simplify things/remove a whole lot of code.  After
    that conversion we should be able to convert the audit_fsnotify code to
    support that hierarchy if the optimization is necessary.
    
    Move the access to the entry for audit_match_signal() to the beginning of
    the audit_del_rule() function in case the entry found is the same one passed
    in.  This will enable it to be used by audit_autoremove_mark_rule(),
    kill_rules() and audit_remove_parent_watches().
    
    This is a heavily modified and merged version of two patches originally
    submitted by Eric Paris.
    
    Cc: Peter Moody <peter@hda3.com>
    Cc: Eric Paris <eparis@redhat.com>
    Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
    [PM: added a space after a declaration to keep ./scripts/checkpatch happy]
    Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    7f492942
audit_fsnotify.c 6.07 KB