[PATCH] audit: log on the future execution of a path

Here is another attempt at getting closer to auditing on the future execution of a path. Storing the dev/inode of the path in the rule won't help us because the path may not exist yet. Please see the accompanying userspace patch. I don't expect the userspace interface to change appreciably unless I've overlooked something important. I am able to set and get rules as expected. It will be slow because it has to do a string compare on every sys_execve() invocation. The compare function uses the process' struct filename *. I'm guessing a hash of the string could speed that up. Only problem is, it doesn't work. What assumptions am I making that aren't valid about the approach in this kernel code? I also considered adding the path string pointer to the struct audit_field. Any suggestions? See: (I'd use the redhat.com/archives/linux-audit links, but they don't link across months.) "auditing syscalls made 'by' an inode?" http://comments.gmane.org/gmane.linux.redhat.security.audit/4255 "audit: audit on the future execution of a binary." http://comments.gmane.org/gmane.linux.redhat.security.audit/4388 "Support for auditing on the actions of a not-yet-executed process." http://comments.gmane.org/gmane.linux.redhat.security.audit/4389 "Excluding events by command" http://comments.gmane.org/gmane.linux.redhat.security.audit/4428 Richard Guy Briggs (1): audit: audit on the future execution of a binary. include/linux/audit.h | 1 + include/uapi/linux/audit.h | 2 ++ kernel/auditfilter.c | 35 +++++++++++++++++++++++++++++++++++ kernel/auditsc.c | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 73 insertions(+), 0 deletions(-)