Re: best way to audit in vfs
On Wed, 2004-12-15 at 12:03, Timothy R. Chavez wrote:
That seems like a pretty good idea since all the information about
the
syscall will be covered else where, all we really need is a place
where we have the inode and access to its audit data. The two places
(maybe three? vfs_mknod?) vfs_create and vfs_mkdir (vfs_link wouldn't
be necessary if we assume a hardlink's inode audit information is
never overwritten ever)
Do you mean hooks for preserving audit attributes? Yes, you would still
need hooks for that purpose, but for simply enabling auditing based on
object identity, a single hook in permission may be sufficient, where
that hook would check whether the object was auditable and if so, add
the object identity and requested permission mask to a list hung off of
curent->audit_context for later processing by audit_syscall_exit (in
determining whether or not to audit) and audit_log_exit (in providing
supplementary audit information in the audit record).
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency