Re: [PATCH] enable /proc/$$/loginuid
On Mon, 17 Jan 2005 11:10:29 -0800 (PST), Casey Schaufler
<casey(a)schaufler-ca.com> wrote:
--- "Timothy R. Chavez" <chavezt(a)gmail.com> wrote:
> ... Better to
> do this filtering
> in userspace via a daemon then in the kernel. We
> should keep the
> in-kernel audit subsystem as small and efficient as
> possible.
> Anything that can be delegated to userspace should
> be delegated to
> userspace.
For this scheme to work the kernel has to
generate all possible records and pass them
on for filtering. This is much less efficient
than having the kernel filter records that
are known to be uninteresting. Filtering
must be done at a place where sufficient
information is available to make the choice,
and that means it must be done in the kernel
or that all possible filtering criteria must
be passed on.
Right, and such filtering already exists in the kernel and is mostly,
if not completely, sufficient to meet this goal. What I was getting
at is that there may be a desire to do additional filtering that goes
above and beyond what the kernel is capable of doing. Thus. this is
one reason why the audit daemon and not the kernel, should be used to
write out to the actual log file.
<snip>
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
--
- Timothy R. Chavez