On Fri, 26 Jan 2007 18:29:10 -0500 Alexander Viro <[EMAIL PROTECTED]> wrote:
> On Fri, Jan 26, 2007 at 05:01:12PM -0600, Timothy R. Chavez wrote: > > > What do you want in the log? More specifically, _when_ do you want it? > > > > Write out a log when the last reference to the fd is put back... whether > > that's from a close or an munmap. > > BTW... Consider the following: threads A and B share descriptor table. > Their stdin is a terminal. > Apr 1: thread A calls read(0, buf, 512); > Apr 2: thread B does close(0); > May 1: user hits enter > > After Apr 2 we'll have descriptor 0 closed. Thread A is still sitting in > read() and it couldn't care less about descriptors. The file is still > opened, even though all descriptors are gone. > > On May 1 read() in thread A finally completes. Upon exit from read() > we give up a reference to file, so it finally gets closed. > > IOW, you'll get "it's been closed by read(2)" in logs. The same > may apply to any system call doing file IO. So userland would better > not assume that something recognizable is doing that... That seems perfectly reasonable to me. -tim -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
