Re: [RFC][PATCH] (#6 U1) the latest incarnation
On Fri, 2005-03-25 at 14:54 +0000, David Woodhouse wrote:
All things being equal, I think I'd rather see the information
added to
the audit_context and then dumped with everything else on syscall exit.
When doing the IPC patch I deliberately made the 'aux' list generic
enough that it could be used for this kind of thing.
But are there reasons why it's hard to do that here? Do we need to
report information in contexts where we can't allocate memory (or at
least can't deal with failure to do so)?
I don't think so; I think all callers of audit_notify_watch() can sleep
at the point of the call (unlike callers of audit_attach_watch, which
must not sleep, but that only attaches watches; it doesn't do any audit
generation). Now for SELinux avc_audit, that would be an issue, because
it cannot perform blocking allocation or otherwise deal with failures.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency