Re: Getting the program name in audit messages
On Fri, 2005-04-01 at 08:18 -0500, Stephen Smalley wrote:
Whenever avc_audit() generates a log message via audit_log*, the
auditable flag is enabled, so audit_log_exit() will be called upon
syscall exit and the exe= and comm= information will then be provided at
that time, and can be correlated with the avc message using the
timestamp and serial number.
Setting the auditable flag is only going to cause audit_log_exit() to be
called on syscall exit _if_ audit_syscall_exit() is actually called.
That's often in the slow path of the syscall return, and triggered only
if something like TIF_SYSCALL_AUDIT is set in the thread_info flags.
--
dwmw2