On Tuesday 23 August 2005 15:49, Chris Wright wrote:
* Amy Griffis (amy.griffis(a)hp.com) wrote:
> Suggested Approach
> ------------------
> The plan proposed several weeks ago was to write a general filesystem
> event notification component for the kernel, based on the current
> auditfs patch. I think this is a mistake for several reasons.
I agree, inofity is already there, and makes sense as basis moving
forward.
<snip>
> In order for audit to use Inotify, Inotify would need to provide:
>
> - An Inotify kernel API.
>
> - A pointer to the relevant inode struct when a filesystem event
> occurs.
>
> - The ability to begin watching a file at the moment of creation.
> Currently audit is pre-notified, via dcache hooks, when a file is
> created, moved, or deleted. This allows audit to enable or disable
> a watch on the appropriate inode. Audit would need a similar
> pre-notification, or preferably the ability to add (and possibly
> remove) watches from an Inotify event callback.
Inotify has a couple new dcache hooks, (iirc it's for delete), did you
look at those yet?
I'm happy to go with this approach. I'm ending some other work and by
Thursday should be ready to devote a lot more time to the it. This is a
good start, well organized. Thanks.
-tim
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit