Re: best way to audit in vfs
* Timothy R. Chavez (chavezt(a)gmail.com) wrote:
I've been kind of thinking about this. Presumably, we want to
audit
both failed and successful attempts in whatever vfs function we happen
to be in. For instance, if we fall out of vfs_mkdir because
may_create returned an error, we'd like to receive an audit message
that said something like, "filename=myfile syscall= mkdir()
error=<errno>.....", but, would I want to do this by hooking each
conditional statement? Is there a better approach? The only other
one I can think of would be to have one exit point in the functions
and audit right before we exit...
You already get syscall entry/exit with audit. So all you need is the
intermediate step.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net