Re: [PATCH] audit: speedup for syscalls when auditing is disabled
Hi Eric,
I don't think this works at all. I don't see how syscall
audit'ing can
work. What if I have nothing in the AUDIT_FILTER_TASK list but I want
to audit all 'open(2)' syscalls? This patch is going to leave the task
in the DISABLED state and we won't ever be able to match on the syscall
rules.
That's a good point. What if we went through and created an audit context
for each thread at the point where we add a rule to the audit subsystem?
That would make the common case where no one touches audit go fast. It's
only once you add a rule that you get the syscall entry/exit overhead of
audit.
Anton