Re: best way to audit in vfs
On Tue, 2004-12-14 at 15:50, Serge E. Hallyn wrote:
Why can't you store the info in the current->audit record
until syscall
exit, and only send a message to userspace if the syscall exit says to
do so?
Another point to keep in mind is that you ultimately want to instrument
other subsystems in the same manner as the filesystem code to capture
relevant information copied by the kernel from userspace pointers (e.g.
socket addresses), and I doubt you want to keep adding all of this
object identification information into the current audit context (and
there can be mixing, e.g Unix domain socket interplay with the
filesystem, so you might need object identification information for
multiple kinds of objects on a single syscall).
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency