Re: best way to audit in vfs
On Tue, 2004-12-14 at 16:22, Stephen Smalley wrote:
Yes, but why can't you make the full determination in your hook
function? At the point of the hook function, you know:
- the current process information,
- the object information,
- the call site.
It is possible that you have some complex audit configuration in mind
that requires tying together information from multiple hooks in order to
determine whether or not to audit the operation, but I'm not sure
whether that is necessary.
On the other hand, it may be that by simply saving the object identity
information on a list in the current audit_context and deferring
determination to the syscall exit code, you can reduce the number of
audit hooks within the VFS, e.g. just hook permission(9) rather than the
individual vfs_* functions.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency