Re: best way to audit in vfs
On Tue, 2004-12-14 at 15:42 -0600, Serge E. Hallyn wrote:
No, I think we all agree that anything much more complicated should
be done
in userspace. The only real reason to care about doing some in kernel space,
I think, is to minimize wasted kernel->auditd traffic.
Caveat: I don't recommend asking userspace to grab the full path name
from inode information supplied by the kernel, as has been suggested in
the past. Although this shifts the burden of processing in the right
direction (ie: to user-space), by the time the inode info gets there,
the file might have already gone.
UID/GID -> User/Group Name has similar issues I guess, but much harder
to cover (as the kernel generally doesn't have visibility of user
names).
Leigh.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/