Re: Possible performance bug
The only problem I see is when audit is re-enabled, we need a way to
start getting the TIF_SYSCALL_AUDIT flag set again for already
running processes. For example, suppose apache was of interest and
audit was disabled. The above code would remove the flag. Then when
audit is re-enabled, we need to set the flag again. I'm looking for a
low impact way of doing this. Still thinking.
Does the problem also exist when audit is first enabled? Amy and I
were talking earlier and it seemed to be the case that when audit is
enabled, only new processes get audited so it would be a general
problem any time a system is booted without audit running, not
just when audit is re-enabled. Do we have that right?
-- ljk