On Fri, Jan 26, 2007 at 05:01:12PM -0600, Timothy R. Chavez wrote: > > What do you want in the log? More specifically, _when_ do you want it? > > Write out a log when the last reference to the fd is put back... whether > that's from a close or an munmap.
BTW... Consider the following: threads A and B share descriptor table. Their stdin is a terminal. Apr 1: thread A calls read(0, buf, 512); Apr 2: thread B does close(0); May 1: user hits enter After Apr 2 we'll have descriptor 0 closed. Thread A is still sitting in read() and it couldn't care less about descriptors. The file is still opened, even though all descriptors are gone. On May 1 read() in thread A finally completes. Upon exit from read() we give up a reference to file, so it finally gets closed. IOW, you'll get "it's been closed by read(2)" in logs. The same may apply to any system call doing file IO. So userland would better not assume that something recognizable is doing that... -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
