Steve Grubb wrote: > The rule matcher only uses the information readily at hand during a syscall.
Ah, the rule matcher does not solve f_path.dentry->d_inode->i_mode etc. from the FD argument. Then, I see that it is impossible. > -a exit,always -w /dev/watchdog -p wa -k watchdog > > It will detect the opening with write permissions, but not the individual > writes. What I wanted to do is to record the timestamp of the individual writes, for what I want to do is to determine whether watchdog NMI is raised by error or by timeout. To determine it, I need to know when the last write syscall on /dev/watchdog was. > If you have to watch writes and you know with some certainty which descriptor > the program always uses and which selinux type it uses (assuming hpwdt_t > below), you might be able to do something like: > > -a exit,always -F arch=b64 -S write -F a0=4 -F subj_type=hpwdt_t > > If you know the buffer size used in the program, you might add -F a2=X where > X > is the buffer size to help identify writes to the correct descriptor if the > descriptor gets reused. Yes, I'll try a0= and a2= conditions. Thank you. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
