audit syscall information.

For some system calls, the arguments are passed as structures or strings in userspace memory, and only the _pointer_ is passed in the registers as an argument to the syscall. In this case, the current audit code will log the _pointer_ which is given, but will not show the _contents_ of the memory to which that pointer refers. The IPC calls are one specific instance of a case where I have already inserted a hook to log the contents of the userspace structure instead of just the pointer. Two weeks ago on our conference call, I asked if there were any other syscalls where I should add similar hooks to log the data which are actually acted upon, rather than merely the pointer. This morning I'll ask again -- are there any more system calls where we need to log anything more than the arguments to the syscall? On the call two weeks ago I pointed out the potential race condition; if we log the target of the pointer at syscall entry time, another userspace thread may change the contents of memory at that address by the time the syscall actually executes and calls copy_from_user(). This is why we have to add hooks such as the ones in the IPC code, instead of just doing extra logging in audit_syscall_entry() for certain syscalls. Just to make sure, I want to repeat the question which nobody deigned to answer at the time: are there any more system calls for which we should be adding hooks to log extra information, because the information currently recorded is not sufficient for CAPP? -- dwmw2