Hi Paul, > Op 01-06-2026 18:27 CEST schreef Paul Moore <[email protected]>: > > > On Sun, May 31, 2026 at 10:56 PM NeilBrown <[email protected]> wrote: > > > > I don't think this is sufficient. > > I think (and we should confirm we people who know about auditing) that > > the audit call should come before the permission check so that there is > > an audit record on failed attempts. In that case the > > audit_inode_child() all needs to be much earlier. > > As you likely already know, audit_inode_child() exists simply to > record information about the file/inode access, the audit record is > generated later (and can is dependent on other things/config). For > that reason, yes, it's generally a good idea to call > audit_inode_child() as soon as we have the file/inode information. > Auditors want to know what the user/system attempted to do, even if > the operation failed; in some cases the log of the failed operations > are more useful than the successful ones. >
But currently for mkdir(2), mknod(2), open(2) with O_CREAT, we are calling audit_inode_child() twice. Once before actual creation (mostly in may_create_dentry()), and once afterwards in fsnotify_*(). Is that the desired behavior? > > -- > paul-moore.com Best, Jori.
