Re: [RFC] Testcase Scenarios for Auditfs Code

What concerns me is unclear/unstable semantics and a lack of a clear subdivision between this mechanism and the inode-based syscall filters: - Auditing may or may not be preserved on hard links when using the watches depending on memory pressure, reboots, or whether the watched name is unlinked; is always preserved for inode-based watches. - Auditing is never preserved for renames when using the watches; is always preserved for inode-based watches. - Auditing is automatically enabled for new files when they are created in watched locations when using watches; requires userspace modification to achieve with inode-based watches.