On Tue, 2010-11-23 at 13:25 -0500, Miloslav Trmac wrote:
----- "Eric Paris" <eparis(a)redhat.com> wrote:
> On Tue, 2010-11-23 at 13:50 +0100, Miloslav Trmač wrote:
> > Collect audited crypto operations in a list, because a single _exit()
> > can cause several AF_ALG sockets to be closed, and each needs to be
> > audited.
> >
> > Add the AUDIT_CRYPTO_OP field so that crypto operations are not
> audited
> > by default, but auditing can be enabled using a rule (probably
> > "-F crypto_op!=0").
>
> Just an implementation question, why a new list instead of finding a
way
> to reuse struct audit_aux_data?
This remained in the code from an earlier version where the relative
order of crypto records was meaningful. In the current version the
only difference is that an AUDIT_CRYPTO_OP filter has to traverse
fewer entries.
It probably won't actually have to traverse extra entries. We shouldn't
(at least that I can think of) ever have a single syscall which is going
to have crypto, execve, signal, fcaps, etc. records simultaneously. In
any case, if you send another round, I'd suggest reuse or aux.
-Eric