On Tue, 2004-12-14 at 15:50, Serge E. Hallyn wrote:
Why can't you store the info in the current->audit record
until syscall
exit, and only send a message to userspace if the syscall exit says to
do so?
A single syscall might trigger auditing on multiple objects, e.g.
multi-component pathname lookup where multiple components are flagged
for auditing. The audit framework was designed to allow immediate
generation of partial audit records during syscall processing that would
then enable generation of a final audit record at syscall exit, with the
ability to tie them all together via the (timestamp, serial) tuples in
userspace. That is how SELinux works with the audit subsystem; SELinux
immediately generates an audit message as appropriate from its hooks,
and this triggers generation of a final audit record for the syscall
upon exit, so you might have multiple SELinux audit messages followed by
the syscall exit one.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency